PS: Add read step for 'foreach' statements.

MathiasVP · MathiasVP · commit 5692eb000152 · 2025-09-23T14:59:27.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -1078,6 +1078,17 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     node2 = TProcessPropertyByNameNode(p, true)
   )
   or
+  // Read from a collection into a `foreach` loop
+  exists(
+    CfgNodes::StmtNodes::ForEachStmtCfgNode forEach, Content::KnownElementContent ec, BasicBlock bb,
+    int i
+  |
+    c.isKnownOrUnknownElement(ec) and
+    node1.asExpr() = forEach.getIterableExpr() and
+    bb.getNode(i) = forEach.getVarAccess() and
+    node2.asDefinition().definesAt(_, bb, i)
+  )
+  or
   // Summary read steps
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -1,6 +1,7 @@
 private import powershell
 private import DataFlowDispatch
 private import DataFlowPrivate
+private import semmle.code.powershell.dataflow.Ssa
 private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
 private import semmle.code.powershell.ApiGraphs
 private import semmle.code.powershell.Cfg
@@ -13,6 +14,9 @@ class Node extends TNode {
   /** Gets the expression corresponding to this node, if any. */
   CfgNodes::ExprCfgNode asExpr() { result = this.(ExprNode).getExprNode() }
 
+  /** Gets the definition corresponding to this node, if any. */
+  Ssa::Definition asDefinition() { result = this.(SsaDefinitionNodeImpl).getDefinition() }
+
   ScriptBlock asCallable() { result = this.(CallableNode).asCallableAstNode() }
 
   /** Gets the parameter corresponding to this node, if any. */
diff --git a/powershell/ql/test/library-tests/dataflow/fields/test.expected b/powershell/ql/test/library-tests/dataflow/fields/test.expected
@@ -83,6 +83,10 @@ edges
 | test.ps1:88:1:88:5 | [post] hash [b] | test.ps1:89:6:89:10 | hash [b] | provenance |  |
 | test.ps1:88:11:88:21 | Call to source | test.ps1:88:1:88:5 | [post] hash [b] | provenance |  |
 | test.ps1:89:6:89:10 | hash [b] | test.ps1:89:6:89:12 | b | provenance |  |
+| test.ps1:91:9:91:10 | a | test.ps1:92:10:92:11 | a | provenance |  |
+| test.ps1:91:15:91:36 | ...,... [element 2] | test.ps1:91:9:91:10 | a | provenance |  |
+| test.ps1:91:21:91:33 | (...) | test.ps1:91:15:91:36 | ...,... [element 2] | provenance |  |
+| test.ps1:91:22:91:32 | Call to source | test.ps1:91:21:91:33 | (...) | provenance |  |
 nodes
 | test.ps1:3:1:3:2 | [post] a [f] | semmle.label | [post] a [f] |
 | test.ps1:3:8:3:17 | Call to source | semmle.label | Call to source |
@@ -179,9 +183,13 @@ nodes
 | test.ps1:88:11:88:21 | Call to source | semmle.label | Call to source |
 | test.ps1:89:6:89:10 | hash [b] | semmle.label | hash [b] |
 | test.ps1:89:6:89:12 | b | semmle.label | b |
+| test.ps1:91:9:91:10 | a | semmle.label | a |
+| test.ps1:91:15:91:36 | ...,... [element 2] | semmle.label | ...,... [element 2] |
+| test.ps1:91:21:91:33 | (...) | semmle.label | (...) |
+| test.ps1:91:22:91:32 | Call to source | semmle.label | Call to source |
+| test.ps1:92:10:92:11 | a | semmle.label | a |
 subpaths
 testFailures
-| test.ps1:92:13:92:31 | # $ hasValueFlow=18 | Missing result: hasValueFlow=18 |
 #select
 | test.ps1:4:6:4:9 | f | test.ps1:3:8:3:17 | Call to source | test.ps1:4:6:4:9 | f | $@ | test.ps1:3:8:3:17 | Call to source | Call to source |
 | test.ps1:11:6:11:13 | ...[...] | test.ps1:10:12:10:21 | Call to source | test.ps1:11:6:11:13 | ...[...] | $@ | test.ps1:10:12:10:21 | Call to source | Call to source |
@@ -209,3 +217,4 @@ testFailures
 | test.ps1:83:6:83:15 | ...[...] | test.ps1:79:7:79:17 | Call to source | test.ps1:83:6:83:15 | ...[...] | $@ | test.ps1:79:7:79:17 | Call to source | Call to source |
 | test.ps1:87:6:87:15 | ...[...] | test.ps1:79:7:79:17 | Call to source | test.ps1:87:6:87:15 | ...[...] | $@ | test.ps1:79:7:79:17 | Call to source | Call to source |
 | test.ps1:89:6:89:12 | b | test.ps1:88:11:88:21 | Call to source | test.ps1:89:6:89:12 | b | $@ | test.ps1:88:11:88:21 | Call to source | Call to source |
+| test.ps1:92:10:92:11 | a | test.ps1:91:22:91:32 | Call to source | test.ps1:92:10:92:11 | a | $@ | test.ps1:91:22:91:32 | Call to source | Call to source |
