Merge pull request #109 from microsoft/powershell-call-target-resolution

MathiasVP · web-flow · commit c7850b141d99 · 2024-10-02T17:56:21.000+02:00
PS: Resolve function calls
diff --git a/powershell/ql/lib/semmle/code/powershell/Ast.qll b/powershell/ql/lib/semmle/code/powershell/Ast.qll
@@ -8,5 +8,7 @@ class Ast extends @ast {
 
   Location getLocation() { none() }
 
-  final Scope getEnclosingScope() { result = scopeOf(this) }
+  Scope getEnclosingScope() { result = scopeOf(this) }
+
+  final Function getEnclosingFunction() { this.getEnclosingScope() = result.getBody() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/Call.qll b/powershell/ql/lib/semmle/code/powershell/Call.qll
@@ -1,31 +1,68 @@
 import powershell
+private import semmle.code.powershell.dataflow.internal.DataFlowImplCommon
+private import semmle.code.powershell.dataflow.internal.DataFlowDispatch
+private import semmle.code.powershell.controlflow.CfgNodes
 
 abstract private class AbstractCall extends Ast {
   abstract Expr getCommand();
 
+  /** Gets the i'th argument to this call. */
   abstract Expr getArgument(int i);
 
-  Expr getNamedArgument(string name) { none() }
+  /** Gets the i'th positional argument to this call. */
+  abstract Expr getPositionalArgument(int i);
 
-  Expr getAnArgument() { result = this.getArgument(_) or result = this.getNamedArgument(_) }
+  /** Gets the argument to this call with the name `name`. */
+  abstract Expr getNamedArgument(string name);
 
+  /** Gets any argument to this call. */
+  final Expr getAnArgument() { result = this.getArgument(_) }
+
+  /** Gets the qualifier of this call, if any. */
   Expr getQualifier() { none() }
+
+  /** Gets a possible runtime target of this call. */
+  abstract Function getATarget();
 }
 
 private class CmdCall extends AbstractCall instanceof Cmd {
   final override Expr getCommand() { result = Cmd.super.getCommand() }
 
+  final override Expr getPositionalArgument(int i) { result = Cmd.super.getPositionalArgument(i) }
+
   final override Expr getArgument(int i) { result = Cmd.super.getArgument(i) }
 
   final override Expr getNamedArgument(string name) { result = Cmd.super.getNamedArgument(name) }
+
+  final override Function getATarget() {
+    exists(DataFlowCall call | call.asCall().(StmtNodes::CmdCfgNode).getStmt() = this |
+      result.getBody() = viableCallableLambda(call, _).asCfgScope()
+      or
+      result.getBody() = getTarget(call)
+    )
+  }
 }
 
 private class InvokeMemberCall extends AbstractCall instanceof InvokeMemberExpr {
   final override Expr getCommand() { result = super.getMember() }
 
-  final override Expr getArgument(int i) { result = InvokeMemberExpr.super.getArgument(i) }
+  final override Expr getPositionalArgument(int i) {
+    result = InvokeMemberExpr.super.getArgument(i)
+  }
+
+  final override Expr getArgument(int i) { result = this.getPositionalArgument(i) }
 
   final override Expr getQualifier() { result = InvokeMemberExpr.super.getQualifier() }
+
+  final override Expr getNamedArgument(string name) { none() }
+
+  final override Function getATarget() {
+    exists(DataFlowCall call | call.asCall().(ExprNodes::InvokeMemberCfgNode).getExpr() = this |
+      result.getBody() = viableCallableLambda(call, _).asCfgScope()
+      or
+      result.getBody() = getTarget(call)
+    )
+  }
 }
 
 final class Call = AbstractCall;
diff --git a/powershell/ql/lib/semmle/code/powershell/Function.qll b/powershell/ql/lib/semmle/code/powershell/Function.qll
@@ -4,6 +4,8 @@ import semmle.code.powershell.controlflow.BasicBlocks
 abstract private class AbstractFunction extends Ast {
   abstract string getName();
 
+  final predicate hasName(string name) { this.getName() = name }
+
   abstract ScriptBlock getBody();
 
   abstract Parameter getFunctionParameter(int i);
diff --git a/powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll b/powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll
@@ -5,11 +5,21 @@ class InvokeMemberExpr extends @invoke_member_expression, MemberExprBase {
 
   Expr getQualifier() { invoke_member_expression(this, result, _) }
 
+  string getName() { result = this.getMember().(StringConstExpr).getValue().getValue() }
+
   CmdElement getMember() { invoke_member_expression(this, _, result) }
 
   Expr getArgument(int i) { invoke_member_expression_argument(this, i, result) }
 
   Expr getAnArgument() { invoke_member_expression_argument(this, _, result) }
 
-  override string toString() { result = "call to " + this.getMember() }
+  override string toString() { result = "call to " + this.getName() }
+
+  override predicate isStatic() { this.getQualifier() instanceof TypeNameExpr }
+}
+
+class ConstructorCall extends InvokeMemberExpr {
+  ConstructorCall() { this.isStatic() and this.getName() = "new" }
+
+  Type getConstructedType() { result = this.getQualifier().(TypeNameExpr).getType() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/MemberExpr.qll b/powershell/ql/lib/semmle/code/powershell/MemberExpr.qll
@@ -12,7 +12,7 @@ class MemberExpr extends @member_expression, MemberExprBase {
 
   predicate isNullConditional() { member_expression(this, _, _, true, _) }
 
-  predicate isStatic() { member_expression(this, _, _, _, true) }
+  override predicate isStatic() { member_expression(this, _, _, _, true) }
 
   final override string toString() { result = this.getMember().toString() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/MemberExpressionBase.qll b/powershell/ql/lib/semmle/code/powershell/MemberExpressionBase.qll
@@ -1,3 +1,5 @@
 import powershell
 
-class MemberExprBase extends @member_expression_base, Expr { }
+class MemberExprBase extends @member_expression_base, Expr {
+  predicate isStatic() { none() }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/ScriptBlock.qll b/powershell/ql/lib/semmle/code/powershell/ScriptBlock.qll
@@ -1,4 +1,5 @@
 import powershell
+private import semmle.code.powershell.controlflow.internal.Scope
 
 class ScriptBlock extends @script_block, Ast {
   predicate isTopLevel() { not exists(this.getParent()) }
@@ -48,4 +49,6 @@ class ScriptBlock extends @script_block, Ast {
   }
 
   ModuleSpecification getAModuleSpecification() { result = this.getModuleSpecification(_) }
+
+  final override Scope getEnclosingScope() { result = this }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/Type.qll b/powershell/ql/lib/semmle/code/powershell/Type.qll
@@ -10,4 +10,11 @@ class Type extends @type_definition, Stmt {
   Member getMember(int i) { type_definition_members(this, i, result) }
 
   Member getAMember() { result = this.getMember(_) }
+
+  MemberFunction getMemberFunction(string name) {
+    result = this.getAMember() and
+    result.hasName(name)
+  }
+
+  MemberFunction getAMemberFunction() { result = this.getMemberFunction(_) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/TypeExpression.qll b/powershell/ql/lib/semmle/code/powershell/TypeExpression.qll
@@ -8,4 +8,7 @@ class TypeNameExpr extends @type_expression, Expr {
   override string toString() { result = this.getName() }
 
   override SourceLocation getLocation() { type_expression_location(this, result) }
+
+  /** Gets the type referred to by this `TypeNameExpr`. */
+  Type getType() { result.getName() = this.getName() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -125,6 +125,26 @@ abstract private class NonExprChildMapping extends ChildMapping {
   }
 }
 
+abstract private class AbstractCallCfgNode extends AstCfgNode {
+  override string getAPrimaryQlClass() { result = "CfgCall" }
+
+  abstract string getName();
+
+  ExprCfgNode getQualifier() { none() }
+
+  abstract ExprCfgNode getArgument(int i);
+
+  abstract ExprCfgNode getPositionalArgument(int i);
+
+  abstract ExprCfgNode getNamedArgument(string name);
+
+  abstract ExprCfgNode getAnArgument();
+
+  abstract ExprCfgNode getCommand();
+}
+
+final class CallCfgNode = AbstractCallCfgNode;
+
 /** Provides classes for control-flow nodes that wrap AST expressions. */
 module ExprNodes {
   private class VarAccessChildMapping extends ExprChildMapping, VarAccess {
@@ -189,14 +209,35 @@ module ExprNodes {
   }
 
   /** A control-flow node that wraps an `InvokeMemberExpr` expression. */
-  class InvokeMemberCfgNode extends ExprCfgNode {
+  class InvokeMemberCfgNode extends ExprCfgNode, AbstractCallCfgNode {
     override string getAPrimaryQlClass() { result = "InvokeMemberCfgNode" }
 
     override InvokeMemberChildMapping e;
 
-    final override InvokeMemberExpr getExpr() { result = super.getExpr() }
+    override InvokeMemberExpr getExpr() { result = super.getExpr() }
+
+    final override ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
 
-    final ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
+    final override ExprCfgNode getArgument(int i) { e.hasCfgChild(e.getArgument(i), this, result) }
+
+    final override ExprCfgNode getPositionalArgument(int i) { result = this.getArgument(i) }
+
+    final override ExprCfgNode getNamedArgument(string name) { none() }
+
+    final override ExprCfgNode getAnArgument() { e.hasCfgChild(e.getAnArgument(), this, result) }
+
+    final override string getName() { none() }
+
+    final override ExprCfgNode getCommand() { none() }
+  }
+
+    /** A control-flow node that wraps an `ConstructorCall` expression. */
+  class ConstructorCallCfgNode extends InvokeMemberCfgNode {
+    ConstructorCallCfgNode() { super.getExpr() instanceof ConstructorCall }
+
+    final override ConstructorCall getExpr() { result = super.getExpr() }
+
+    Type getConstructedType() { result = this.getExpr().getConstructedType() }
   }
 
   /** A control-flow node that wraps a qualifier expression. */
@@ -265,26 +306,28 @@ module StmtNodes {
   }
 
   /** A control-flow node that wraps a `Cmd` AST expression. */
-  class CmdCfgNode extends StmtCfgNode {
+  class CmdCfgNode extends StmtCfgNode, AbstractCallCfgNode {
     override string getAPrimaryQlClass() { result = "CmdCfgNode" }
 
     override CmdChildMapping s;
 
     override Cmd getStmt() { result = super.getStmt() }
 
-    ExprCfgNode getArgument(int i) { s.hasCfgChild(s.getArgument(i), this, result) }
+    override ExprCfgNode getArgument(int i) { s.hasCfgChild(s.getArgument(i), this, result) }
 
-    ExprCfgNode getPositionalArgument(int i) {
+    override ExprCfgNode getPositionalArgument(int i) {
       s.hasCfgChild(s.getPositionalArgument(i), this, result)
     }
 
-    ExprCfgNode getNamedArgument(string name) {
+    override ExprCfgNode getNamedArgument(string name) {
       s.hasCfgChild(s.getNamedArgument(name), this, result)
     }
 
-    ExprCfgNode getAnArgument() { s.hasCfgChild(s.getAnArgument(), this, result) }
+    override ExprCfgNode getAnArgument() { s.hasCfgChild(s.getAnArgument(), this, result) }
+
+    final override ExprCfgNode getCommand() { s.hasCfgChild(s.getCommand(), this, result) }
 
-    ExprCfgNode getCommand() { s.hasCfgChild(s.getCommand(), this, result) }
+    final override string getName() { result = s.getCmdName().getValue().getValue() }
   }
 
   private class AssignStmtChildMapping extends NonExprChildMapping, AssignStmt {
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
diff --git a/powershell/ql/lib/semmle/code/powershell/typetracking/TypeTracking.qll b/powershell/ql/lib/semmle/code/powershell/typetracking/TypeTracking.qll
diff --git a/powershell/ql/lib/semmle/code/powershell/typetracking/internal/TypeTrackingImpl.qll b/powershell/ql/lib/semmle/code/powershell/typetracking/internal/TypeTrackingImpl.qll

Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,7 @@ class Ast extends @ast {`
`8`	`8`
`9`	`9`	`Location getLocation() { none() }`
`10`	`10`
`11`		`- final Scope getEnclosingScope() { result = scopeOf(this) }`
	`11`	`+ Scope getEnclosingScope() { result = scopeOf(this) }`
	`12`	`+`
	`13`	`+ final Function getEnclosingFunction() { this.getEnclosingScope() = result.getBody() }`
`12`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ class MemberExpr extends @member_expression, MemberExprBase {`
`12`	`12`
`13`	`13`	`predicate isNullConditional() { member_expression(this, _, _, true, _) }`
`14`	`14`
`15`		`- predicate isStatic() { member_expression(this, _, _, _, true) }`
	`15`	`+ override predicate isStatic() { member_expression(this, _, _, _, true) }`
`16`	`16`
`17`	`17`	`final override string toString() { result = this.getMember().toString() }`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`import powershell`
	`2`	`+private import semmle.code.powershell.controlflow.internal.Scope`
`2`	`3`
`3`	`4`	`class ScriptBlock extends @script_block, Ast {`
`4`	`5`	`predicate isTopLevel() { not exists(this.getParent()) }`
`@@ -48,4 +49,6 @@ class ScriptBlock extends @script_block, Ast {`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`ModuleSpecification getAModuleSpecification() { result = this.getModuleSpecification(_) }`
	`52`	`+`
	`53`	`+ final override Scope getEnclosingScope() { result = this }`
`51`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,7 @@ class TypeNameExpr extends @type_expression, Expr {`
`8`	`8`	`override string toString() { result = this.getName() }`
`9`	`9`
`10`	`10`	`override SourceLocation getLocation() { type_expression_location(this, result) }`
	`11`	`+`
	`12`	+ /** Gets the type referred to by this `TypeNameExpr`. */
	`13`	`+ Type getType() { result.getName() = this.getName() }`
`11`	`14`	`}`