PS: Add a read step out of property name parameter nodes.

MathiasVP · MathiasVP · commit fad91333432a · 2024-10-15T16:09:32.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -84,7 +84,9 @@ module SsaFlow {
   }
 
   predicate localFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo, boolean isUseStep) {
-    Impl::localFlowStep(def, asNode(nodeFrom), asNode(nodeTo), isUseStep)
+    Impl::localFlowStep(def, asNode(nodeFrom), asNode(nodeTo), isUseStep) and
+    // Flow out of property name parameter nodes are covered by `readStep`.
+    not nodeFrom instanceof PipelineByPropertyNameParameter
   }
 
   predicate localMustFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
@@ -485,7 +487,7 @@ private module ParameterNodes {
               )
         )
         or
-        parameter.isPipeline() and
+        (parameter.isPipeline() or parameter.isPipelineByPropertyName()) and
         pos.isPipeline()
       )
     }
@@ -498,6 +500,12 @@ private module ParameterNodes {
 
     override string toStringImpl() { result = parameter.toString() }
   }
+
+  class PipelineByPropertyNameParameter extends NormalParameterNode {
+    PipelineByPropertyNameParameter() { this.getParameter().isPipelineByPropertyName() }
+
+    string getPropretyName() { result = this.getParameter().getName() }
+  }
 }
 
 import ParameterNodes
@@ -749,6 +757,13 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     node1.(ProcessNode).getIteratorVariable() = def.getSourceVariable() and
     SsaImpl::firstRead(def, node2.asExpr())
   )
+  or
+  exists(Content::KnownElementContent ec, SsaImpl::DefinitionExt def |
+    c.isSingleton(ec) and
+    node1.(PipelineByPropertyNameParameter).getPropretyName() = ec.getIndex().asString() and
+    def.getSourceVariable() = node1.(PipelineByPropertyNameParameter).getParameter() and
+    SsaImpl::firstRead(def, node2.asExpr())
+  )
 }
 
 /**
@@ -777,6 +792,11 @@ predicate expectsContent(Node n, ContentSet c) {
   or
   n instanceof ProcessNode and
   c.isAnyElement()
+  or
+  exists(Content::KnownElementContent ec |
+    ec.getIndex().asString() = n.(PipelineByPropertyNameParameter).getPropretyName() and
+    c.isSingleton(ec)
+  )
 }
 
 class DataFlowType extends TDataFlowType {

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,9 @@ module SsaFlow {`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`predicate localFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo, boolean isUseStep) {`
`87`		`- Impl::localFlowStep(def, asNode(nodeFrom), asNode(nodeTo), isUseStep)`
	`87`	`+ Impl::localFlowStep(def, asNode(nodeFrom), asNode(nodeTo), isUseStep) and`
	`88`	+ // Flow out of property name parameter nodes are covered by `readStep`.
	`89`	`+ not nodeFrom instanceof PipelineByPropertyNameParameter`
`88`	`90`	`}`
`89`	`91`
`90`	`92`	`predicate localMustFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {`
`@@ -485,7 +487,7 @@ private module ParameterNodes {`
`485`	`487`	`)`
`486`	`488`	`)`
`487`	`489`	`or`
`488`		`- parameter.isPipeline() and`
	`490`	`+ (parameter.isPipeline() or parameter.isPipelineByPropertyName()) and`
`489`	`491`	`pos.isPipeline()`
`490`	`492`	`)`
`491`	`493`	`}`
`@@ -498,6 +500,12 @@ private module ParameterNodes {`
`498`	`500`
`499`	`501`	`override string toStringImpl() { result = parameter.toString() }`
`500`	`502`	`}`
	`503`	`+`
	`504`	`+ class PipelineByPropertyNameParameter extends NormalParameterNode {`
	`505`	`+ PipelineByPropertyNameParameter() { this.getParameter().isPipelineByPropertyName() }`
	`506`	`+`
	`507`	`+ string getPropretyName() { result = this.getParameter().getName() }`
	`508`	`+ }`
`501`	`509`	`}`
`502`	`510`
`503`	`511`	`import ParameterNodes`
`@@ -749,6 +757,13 @@ predicate readStep(Node node1, ContentSet c, Node node2) {`
`749`	`757`	`node1.(ProcessNode).getIteratorVariable() = def.getSourceVariable() and`
`750`	`758`	`SsaImpl::firstRead(def, node2.asExpr())`
`751`	`759`	`)`
	`760`	`+ or`
	`761`	`+ exists(Content::KnownElementContent ec, SsaImpl::DefinitionExt def \|`
	`762`	`+ c.isSingleton(ec) and`
	`763`	`+ node1.(PipelineByPropertyNameParameter).getPropretyName() = ec.getIndex().asString() and`
	`764`	`+ def.getSourceVariable() = node1.(PipelineByPropertyNameParameter).getParameter() and`
	`765`	`+ SsaImpl::firstRead(def, node2.asExpr())`
	`766`	`+ )`
`752`	`767`	`}`
`753`	`768`
`754`	`769`	`/**`
`@@ -777,6 +792,11 @@ predicate expectsContent(Node n, ContentSet c) {`
`777`	`792`	`or`
`778`	`793`	`n instanceof ProcessNode and`
`779`	`794`	`c.isAnyElement()`
	`795`	`+ or`
	`796`	`+ exists(Content::KnownElementContent ec \|`
	`797`	`+ ec.getIndex().asString() = n.(PipelineByPropertyNameParameter).getPropretyName() and`
	`798`	`+ c.isSingleton(ec)`
	`799`	`+ )`
`780`	`800`	`}`
`781`	`801`
`782`	`802`	`class DataFlowType extends TDataFlowType {`