PS: Improve api graphs.

Author: MathiasVP

powershell/ql/lib/qlpack.yml

@@ -16,4 +16,6 @@ dependencies:
 dataExtensions:
   - semmle/code/powershell/frameworks/**/*.model.yml
   - semmle/code/powershell/frameworks/**/*.typemodel.yml
+  - semmle/code/powershell/frameworks/data/internal/cmdlet.model.yml
+  - semmle/code/powershell/frameworks/data/internal/alias.model.yml
 warnOnImplicitThis: true

powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll

@@ -10,6 +10,7 @@ private import semmle.code.powershell.dataflow.DataFlow
 private import semmle.code.powershell.typetracking.ApiGraphShared
 private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
 private import semmle.code.powershell.controlflow.Cfg
+private import frameworks.data.internal.ApiGraphModels
 private import frameworks.data.internal.ApiGraphModelsExtensions as Extensions
 private import frameworks.data.internal.ApiGraphModelsSpecific as Specific
 private import semmle.code.powershell.dataflow.internal.DataFlowPrivate as DataFlowPrivate
@@ -262,8 +263,7 @@ module API {
       this = Impl::MkMethodAccessNode(result) or
       this = Impl::MkBackwardNode(result, _) or
       this = Impl::MkForwardNode(result, _) or
-      this = Impl::MkSinkNode(result) or
-      this = Impl::MkNamespaceOfTypeNameNode(result)
+      this = Impl::MkSinkNode(result)
     }
 
     /** Gets the location of this node. */
@@ -272,6 +272,10 @@ module API {
       or
       this instanceof RootNode and
       result instanceof EmptyLocation
+      or
+      not this instanceof RootNode and
+      not exists(this.getInducingNode()) and
+      result instanceof EmptyLocation
     }
 
     /**
@@ -331,20 +335,84 @@ module API {
     override string toString() { result = "SinkNode(" + this.getInducingNode() + ")" }
   }
 
-  private class UsingNode extends Node, Impl::MkUsingNode {
-    UsingStmt using; // TODO: This should really be the cfg node, I think
+  abstract private class AbstractTypeNameNode extends Node {
+    string prefix;
+
+    bindingset[prefix]
+    AbstractTypeNameNode() { any() }
+
+    override string toString() { result = "TypeNameNode(" + this.getTypeName() + ")" }
+
+    string getComponent() {
+      exists(int n |
+        result = prefix.splitAt(".", n) and
+        not exists(prefix.splitAt(".", n + 1))
+      )
+    }
+
+    string getTypeName() { result = prefix }
+
+    abstract Node getSuccessor(string name);
+
+    Node memberEdge(string name) { none() }
+
+    Node methodEdge(string name) { none() }
+
+    final predicate isImplicit() { not this.isExplicit(_) }
+
+    predicate isExplicit(DataFlow::TypeNameNode typeName) { none() }
+  }
+
+  final class TypeNameNode = AbstractTypeNameNode;
+
+  private class ExplicitTypeNameNode extends AbstractTypeNameNode, Impl::MkExplicitTypeNameNode {
+    ExplicitTypeNameNode() { this = Impl::MkExplicitTypeNameNode(prefix) }
+
+    final override Node getSuccessor(string name) {
+      exists(ExplicitTypeNameNode succ |
+        succ = Impl::MkExplicitTypeNameNode(prefix + "." + name) and
+        result = succ
+      )
+      or
+      exists(DataFlow::TypeNameNode typeName, int n, string lowerCaseName |
+        Specific::needsExplicitTypeNameNode(typeName, prefix) and
+        lowerCaseName = typeName.getLowerCaseName() and
+        name = lowerCaseName.splitAt(".", n) and
+        not lowerCaseName.matches("%.%") and
+        result = getForwardStartNode(typeName)
+      )
+    }
+
+    final override predicate isExplicit(DataFlow::TypeNameNode typeName) {
+      Specific::needsExplicitTypeNameNode(typeName, prefix)
+    }
+  }
 
-    UsingNode() { this = Impl::MkUsingNode(using) }
+  private string getAnAlias(string cmdlet) { Specific::aliasModel(cmdlet, result) }
 
-    override string toString() { result = "UsingNode(" + using + ")" }
+  predicate implicitCmdlet(string mod, string cmdlet) {
+    exists(string cmdlet0 |
+      Specific::cmdletModel(mod, cmdlet0) and
+      cmdlet = [cmdlet0, getAnAlias(cmdlet0)]
+    )
   }
 
-  private class NamespaceOfTypeNameNode extends Node, Impl::MkNamespaceOfTypeNameNode {
-    DataFlow::QualifiedTypeNameNode typeName;
+  private class ImplicitTypeNameNode extends AbstractTypeNameNode, Impl::MkImplicitTypeNameNode {
+    ImplicitTypeNameNode() { this = Impl::MkImplicitTypeNameNode(prefix) }
+
+    final override Node getSuccessor(string name) {
+      result = Impl::MkImplicitTypeNameNode(prefix + "." + name)
+    }
 
-    NamespaceOfTypeNameNode() { this = Impl::MkNamespaceOfTypeNameNode(typeName) }
+    final override Node memberEdge(string name) { result = this.methodEdge(name) }
 
-    override string toString() { result = "NamespaceOfTypeNameNode(" + typeName + ")" }
+    final override Node methodEdge(string name) {
+      exists(DataFlow::CallNode call |
+        result = Impl::MkMethodAccessNode(call) and
+        name = call.getLowerCaseName() and
+        implicitCmdlet(prefix, name)
+      )
+    }
   }
 
   /**
@@ -438,8 +506,8 @@ module API {
       MkRoot() or
       /** The method accessed at `call`, synthetically treated as a separate object. */
       MkMethodAccessNode(DataFlow::CallNode call) or
-      MkUsingNode(UsingStmt using) or
-      MkNamespaceOfTypeNameNode(DataFlow::QualifiedTypeNameNode typeName) or
+      MkExplicitTypeNameNode(string prefix) { Specific::needsExplicitTypeNameNode(_, prefix) } or
+      MkImplicitTypeNameNode(string prefix) { Specific::needsImplicitTypeNameNode(prefix) } or
       MkForwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or
       /** Intermediate node for following backward data flow. */
       MkBackwardNode(DataFlow::LocalSourceNode node, TypeTracker t) { isReachable(node, t) } or
@@ -455,27 +523,8 @@ module API {
       node = any(EntryPoint e).getASink()
     }
 
-    bindingset[e]
-    pragma[inline_late]
-    private DataFlow::Node getNodeFromExpr(Expr e) { result.asExpr().getExpr() = e }
-
     private import frameworks.data.ModelsAsData
 
-    cached
-    predicate namespace(string name, Node node) {
-      exists(DataFlow::QualifiedTypeNameNode typeName |
-        typeName.getNamespace() = name and
-        node = MkNamespaceOfTypeNameNode(typeName)
-      )
-      or
-      exists(UsingStmt using |
-        using.getName().toLowerCase() = name and
-        node = MkUsingNode(using)
-      )
-      or
-      node = ModelOutput::getATypeNode(name)
-    }
-
     cached
     predicate topLevelMember(string name, Node node) { memberEdge(root(), name, node) }
 
@@ -492,42 +541,51 @@ module API {
     predicate memberEdge(Node pred, string name, Node succ) {
       pred = API::root() and
       (
-        exists(StringConstExpr read |
-          succ = getForwardStartNode(getNodeFromExpr(read)) and
-          name = read.getValueString()
-        )
+        succ.(TypeNameNode).getTypeName() = name
         or
         exists(DataFlow::AutomaticVariableNode automatic |
           automatic.getLowerCaseName() = name and
           succ = getForwardStartNode(automatic)
         )
-        or
-        succ = getAnImplicitRootMember(name)
       )
       or
-      exists(DataFlow::QualifiedTypeNameNode typeName |
-        typeName.getLowerCaseName() = name and
-        pred = MkNamespaceOfTypeNameNode(typeName) and
-        succ = getForwardStartNode(typeName)
+      exists(TypeNameNode typeName | pred = typeName |
+        typeName.getSuccessor(name) = succ
+        or
+        typeName.memberEdge(name) = succ
       )
       or
-      exists(MemberExprReadAccess read |
-        read.getLowerCaseMemberName().toLowerCase() = name and
-        pred = getForwardEndNode(getALocalSourceStrict(getNodeFromExpr(read.getQualifier()))) and
-        succ = getForwardStartNode(getNodeFromExpr(read))
+      exists(DataFlow::Node qualifier | pred = getForwardEndNode(getALocalSourceStrict(qualifier)) |
+        exists(CfgNodes::ExprNodes::MemberExprReadAccessCfgNode read |
+          read.getQualifier() = qualifier.asExpr() and
+          read.getLowerCaseMemberName() = name and
+          succ = getForwardStartNode(DataFlow::exprNode(read))
+        )
+        or
+        exists(DataFlow::CallNode call |
+          call.getLowerCaseName() = name and
+          call.getQualifier() = qualifier and
+          succ = MkMethodAccessNode(call)
+        )
       )
     }
 
     cached
     predicate methodEdge(Node pred, string name, Node succ) {
       exists(DataFlow::CallNode call |
-        succ = MkMethodAccessNode(call) and name = call.getLowerCaseName()
-      |
+        succ = MkMethodAccessNode(call) and
+        name = call.getLowerCaseName() and
         pred = getForwardEndNode(getALocalSourceStrict(call.getQualifier()))
       )
       or
+      pred.(TypeNameNode).methodEdge(name) = succ
+      or
       pred = API::root() and
-      succ = getAnImplicitRootMember(name)
+      exists(DataFlow::CallNode call |
+        not exists(call.getQualifier()) and
+        succ = MkMethodAccessNode(call) and
+        name = call.getLowerCaseName()
+      )
     }
 
     cached

powershell/ql/lib/semmle/code/powershell/frameworks/data/empty.model.yml

@@ -30,3 +30,13 @@ extensions:
       pack: microsoft/powershell-all
       extensible: typeVariableModel
     data: []
+
+  - addsTo:
+      pack: microsoft/powershell-all
+      extensible: cmdletModel
+    data: []
+
+  - addsTo:
+      pack: microsoft/powershell-all
+      extensible: aliasModel
+    data: []

powershell/ql/lib/semmle/code/powershell/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -26,8 +26,13 @@ private import codeql.dataflow.internal.AccessPathSyntax
 import semmle.code.powershell.ApiGraphs
 import semmle.code.powershell.dataflow.DataFlow::DataFlow as DataFlow
 private import FlowSummaryImpl::Public
+private import semmle.code.powershell.controlflow.Cfg
 private import semmle.code.powershell.dataflow.internal.DataFlowDispatch as DataFlowDispatch
 
+extensible predicate cmdletModel(string mod, string cmdlet);
+
+extensible predicate aliasModel(string cmdlet, string alias);
+
 bindingset[rawType]
 predicate isTypeUsed(string rawType) { any() }
 
@@ -40,7 +45,7 @@ private predicate parseType(string rawType, string consts, string suffix) {
   )
 }
 
-private predicate parseRelevantType(string rawType, string consts, string suffix) {
+predicate parseRelevantType(string rawType, string consts, string suffix) {
   isRelevantType(rawType) and
   parseType(rawType, consts, suffix)
 }
@@ -57,58 +62,63 @@ predicate hasImplicitTypeModel(string type, string otherType) {
 
 /** Gets a Powershell-specific interpretation of the `(type, path)` tuple after resolving the first `n` access path tokens. */
 bindingset[type, path]
-API::Node getExtraNodeFromPath(string type, AccessPath path, int n) {
-  // A row of form `any;Method[foo]` should match any method named `foo`.
-  type = "any" and
-  n = 1 and
-  exists(string methodName, DataFlow::CallNode call |
-    methodMatchedByName(path, methodName) and
-    call.matchesName(methodName) and
-    result.(API::MethodAccessNode).asCall() = call
+API::Node getExtraNodeFromPath(string type, AccessPath path, int n) { none() }
+
+bindingset[type, name, namespace]
+private predicate typeMatches(string type, string name, string namespace) {
+  if namespace = "" then type.matches("%" + name) else type.matches("%" + namespace + "." + name)
+}
+
+bindingset[type]
+private DataFlow::TypeNameNode getTypeNameNode(string type) {
+  exists(string name, string namespace |
+    name = result.getLowerCaseName() and
+    namespace = result.getNamespace() and
+    typeMatches(type, name, namespace)
   )
 }
 
-/**
- * Gets a string that represents a module that is always implicitly
- * imported in any powershell script.
- */
-string getAnImplicitImport() {
-  result = "microsoft.powershell.management!"
-  or
-  result = "microsoft.powershell.utility!"
+private string getTypeNameComponent(string type, int index) {
+  index = [0 .. strictcount(type.indexOf("."))] and
+  parseRelevantType(_, type, _) and
+  result =
+    strictconcat(int i, string s | s = type.splitAt(".", i) and i <= index | s, "." order by i)
+}
+
+predicate needsExplicitTypeNameNode(DataFlow::TypeNameNode typeName, string component) {
+  exists(string type, int index |
+    component = getTypeNameComponent(type, index) and
+    typeName = getTypeNameNode(type) and
+    index = [0 .. strictcount(type.indexOf(".")) - 1]
+  )
+}
+
+predicate needsImplicitTypeNameNode(string component) {
+  exists(string type, int index |
+    component = getTypeNameComponent(type, index) and
+    index = [0 .. strictcount(type.indexOf("."))] and
+    type.matches("microsoft.powershell.%")
+  )
 }
 
 /** Gets a Powershell-specific interpretation of the given `type`. */
 API::Node getExtraNodeFromType(string rawType) {
-  exists(
-    string type, string suffix, DataFlow::QualifiedTypeNameNode qualifiedTypeName, string namespace,
-    string typename
-  |
+  exists(string type, string suffix, DataFlow::TypeNameNode typeName |
     parseRelevantType(rawType, type, suffix) and
-    qualifiedTypeName.hasQualifiedName(namespace, typename) and
-    (namespace + "." + typename).toLowerCase() = type
+    typeName = getTypeNameNode(type)
   |
     suffix = "!" and
-    result = qualifiedTypeName.(DataFlow::LocalSourceNode).track()
+    result = typeName.(DataFlow::LocalSourceNode).track()
     or
     suffix = "" and
-    result = qualifiedTypeName.(DataFlow::LocalSourceNode).track().getInstance()
+    result = typeName.(DataFlow::LocalSourceNode).track().getInstance()
   )
   or
-  rawType = ["", getAnImplicitImport()] and
-  result = API::root()
-}
-
-/**
- * Holds if `path` occurs in a CSV row with type `any`, meaning it can start
- * matching anywhere, and the path begins with `Method[methodName]`.
- */
-private predicate methodMatchedByName(AccessPath path, string methodName) {
-  isRelevantFullPath("any", path) and
-  exists(AccessPathToken token |
-    token = path.getToken(0) and
-    token.getName() = "Method" and
-    methodName = token.getAnArgument()
+  exists(string name, API::TypeNameNode typeName |
+    parseRelevantType(rawType, name, _) and
+    typeName = API::getTopLevelMember(name) and
+    typeName.isImplicit() and
+    result = typeName
   )
 }