PS: Add intermediate api graph nodes for 'New-Object' calls similar to what we have for type name expressions.

MathiasVP · MathiasVP · commit b3e1f57ec8b4 · 2026-01-21T17:15:02.000Z
diff --git a/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll b/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll
@@ -369,7 +369,7 @@ module API {
 
     final predicate isImplicit() { not this.isExplicit(_) }
 
-    predicate isExplicit(DataFlow::TypeNameNode typeName) { none() }
+    predicate isExplicit(DataFlow::Node node) { none() }
   }
 
   final class TypeNameNode = AbstractTypeNameNode;
@@ -392,8 +392,8 @@ module API {
       )
     }
 
-    final override predicate isExplicit(DataFlow::TypeNameNode typeName) {
-      Specific::needsExplicitTypeNameNode(typeName, prefix)
+    final override predicate isExplicit(DataFlow::Node node) {
+      Specific::needsExplicitTypeNameNode(node, prefix)
     }
   }
 
@@ -424,6 +424,18 @@ module API {
     }
   }
 
+  class NewObjectTypeNameNode extends AbstractTypeNameNode, Impl::MkNewObjectTypeNameNode {
+    NewObjectTypeNameNode() { this = Impl::MkNewObjectTypeNameNode(prefix) }
+
+    final override Node getSuccessor(string name) {
+      result = Impl::MkNewObjectTypeNameNode(prefix + "." + name)
+    }
+
+    final override predicate isExplicit(DataFlow::Node node) {
+      Specific::needsNewObjectTypeNameNode(node, prefix)
+    }
+  }
+
   /**
    * An API entry point.
    *
@@ -517,6 +529,7 @@ module API {
       MkMethodAccessNode(DataFlow::CallNode call) or
       MkExplicitTypeNameNode(string prefix) { Specific::needsExplicitTypeNameNode(_, prefix) } or
       MkImplicitTypeNameNode(string prefix) { Specific::needsImplicitTypeNameNode(prefix) } or
+      MkNewObjectTypeNameNode(string prefix) { Specific::needsNewObjectTypeNameNode(_, prefix) } or
       MkForwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or
       /** Intermediate node for following backward data flow. */
       MkBackwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/data/internal/ApiGraphModelsSpecific.qll b/powershell/ql/lib/semmle/code/powershell/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -101,6 +101,16 @@ predicate needsImplicitTypeNameNode(string component) {
   )
 }
 
+predicate needsNewObjectTypeNameNode(DataFlow::ObjectCreationNode creation, string component) {
+  creation.asExpr().getExpr() instanceof DotNetObjectCreation and
+  exists(string type, int index |
+    type = creation.getLowerCaseConstructedTypeName() and
+    index = [0 .. strictcount(type.indexOf("."))] and
+    component =
+      strictconcat(int i, string s | s = type.splitAt(".", i) and i <= index | s, "." order by i)
+  )
+}
+
 /** Gets a Powershell-specific interpretation of the given `type`. */
 API::Node getExtraNodeFromType(string rawType) {
   exists(string type, string suffix, DataFlow::TypeNameNode typeName |

Original file line number	Diff line number	Diff line change
`@@ -369,7 +369,7 @@ module API {`
`369`	`369`
`370`	`370`	`final predicate isImplicit() { not this.isExplicit(_) }`
`371`	`371`
`372`		`- predicate isExplicit(DataFlow::TypeNameNode typeName) { none() }`
	`372`	`+ predicate isExplicit(DataFlow::Node node) { none() }`
`373`	`373`	`}`
`374`	`374`
`375`	`375`	`final class TypeNameNode = AbstractTypeNameNode;`
`@@ -392,8 +392,8 @@ module API {`
`392`	`392`	`)`
`393`	`393`	`}`
`394`	`394`
`395`		`- final override predicate isExplicit(DataFlow::TypeNameNode typeName) {`
`396`		`- Specific::needsExplicitTypeNameNode(typeName, prefix)`
	`395`	`+ final override predicate isExplicit(DataFlow::Node node) {`
	`396`	`+ Specific::needsExplicitTypeNameNode(node, prefix)`
`397`	`397`	`}`
`398`	`398`	`}`
`399`	`399`
`@@ -424,6 +424,18 @@ module API {`
`424`	`424`	`}`
`425`	`425`	`}`
`426`	`426`
	`427`	`+ class NewObjectTypeNameNode extends AbstractTypeNameNode, Impl::MkNewObjectTypeNameNode {`
	`428`	`+ NewObjectTypeNameNode() { this = Impl::MkNewObjectTypeNameNode(prefix) }`
	`429`	`+`
	`430`	`+ final override Node getSuccessor(string name) {`
	`431`	`+ result = Impl::MkNewObjectTypeNameNode(prefix + "." + name)`
	`432`	`+ }`
	`433`	`+`
	`434`	`+ final override predicate isExplicit(DataFlow::Node node) {`
	`435`	`+ Specific::needsNewObjectTypeNameNode(node, prefix)`
	`436`	`+ }`
	`437`	`+ }`
	`438`	`+`
`427`	`439`	`/**`
`428`	`440`	`* An API entry point.`
`429`	`441`	`*`
`@@ -517,6 +529,7 @@ module API {`
`517`	`529`	`MkMethodAccessNode(DataFlow::CallNode call) or`
`518`	`530`	`MkExplicitTypeNameNode(string prefix) { Specific::needsExplicitTypeNameNode(_, prefix) } or`
`519`	`531`	`MkImplicitTypeNameNode(string prefix) { Specific::needsImplicitTypeNameNode(prefix) } or`
	`532`	`+ MkNewObjectTypeNameNode(string prefix) { Specific::needsNewObjectTypeNameNode(_, prefix) } or`
`520`	`533`	`MkForwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or`
`521`	`534`	`/** Intermediate node for following backward data flow. */`
`522`	`535`	`MkBackwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or`