PS: Flow through string interpolation.

MathiasVP · MathiasVP · commit 5a715c7d11d4 · 2024-11-08T16:01:23.000Z
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -565,6 +565,22 @@ module ExprNodes {
 
     final ExprCfgNode getAnOperand() { e.hasCfgChild(this.getExpr().getAnOperand(), this, result) }
   }
+
+  class ExpandableStringChildMappinig extends ExprChildMapping, ExpandableStringExpr {
+    override predicate relevantChild(Ast n) { n = this.getAnExpr() }
+  }
+
+  class ExpandableStringCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "ExpandableStringCfgNode" }
+
+    override ExpandableStringChildMappinig e;
+
+    override ExpandableStringExpr getExpr() { result = e }
+
+    ExprCfgNode getExpr(int i) { e.hasCfgChild(e.getExpr(i), this, result) }
+
+    ExprCfgNode getAnExpr() { result = this.getExpr(_) }
+  }
 }
 
 module StmtNodes {
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -469,7 +469,9 @@ class CallNode extends AstNode {
 
 /** A call to operator `&`, viwed as a node in a data flow graph. */
 class CallOperatorNode extends CallNode {
-  CallOperatorNode() { this.getCallNode() instanceof CfgNodes::StmtNodes::CallOperatorCfgNode }
+  override CfgNodes::StmtNodes::CallOperatorCfgNode call;
+
+  Node getCommand() { result.asExpr() = call.getCommand() }
 }
 
 /** A use of a type name, viewed as a node in a data flow graph. */
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll
@@ -34,11 +34,18 @@ private module Cached {
   cached
   predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
     (
+      // Flow from an operand to an operation
       exists(CfgNodes::ExprNodes::OperationCfgNode op |
         op = nodeTo.asExpr() and
         op.getAnOperand() = nodeFrom.asExpr()
       )
       or
+      // Flow through string interpolation
+      exists(CfgNodes::ExprNodes::ExpandableStringCfgNode es |
+        nodeFrom.asExpr() = es.getAnExpr() and
+        nodeTo.asExpr() = es
+      )
+      or
       // Although flow through collections is modeled precisely using stores/reads, we still
       // allow flow out of a _tainted_ collection. This is needed in order to support taint-
       // tracking configurations where the source is a collection.

Original file line number	Diff line number	Diff line change
`@@ -469,7 +469,9 @@ class CallNode extends AstNode {`
`469`	`469`
`470`	`470`	/** A call to operator `&`, viwed as a node in a data flow graph. */
`471`	`471`	`class CallOperatorNode extends CallNode {`
`472`		`- CallOperatorNode() { this.getCallNode() instanceof CfgNodes::StmtNodes::CallOperatorCfgNode }`
	`472`	`+ override CfgNodes::StmtNodes::CallOperatorCfgNode call;`
	`473`	`+`
	`474`	`+ Node getCommand() { result.asExpr() = call.getCommand() }`
`473`	`475`	`}`
`474`	`476`
`475`	`477`	`/** A use of a type name, viewed as a node in a data flow graph. */`