microsoft · MathiasVP · Apr 9, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
diff --git a/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll b/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll
@@ -527,13 +527,25 @@ module API {
         pred = MkNamespaceOfTypeNameNode(typeName) and
         succ = getForwardStartNode(typeName)
       )
-      // or
-      // TODO: Handle getAMember when the predecessor is a MkUsingNode?
+      or
+      pred = MkRoot() and
+      exists(DataFlow::AutomaticVariableNode automatic |
+        automatic.getName() = name and
+        succ = getForwardStartNode(automatic)
+      )
+      or
+      exists(MemberExprReadAccess read |
+        read.getMemberName().toLowerCase() = name and
+        pred = getForwardEndNode(getALocalSourceStrict(getNodeFromExpr(read.getQualifier()))) and
+        succ = getForwardStartNode(getNodeFromExpr(read))
+      )
     }
 
     cached
     predicate methodEdge(Node pred, string name, Node succ) {
-      exists(DataFlow::CallNode call | succ = MkMethodAccessNode(call) and name = call.getName() |
+      exists(DataFlow::CallNode call |
+        succ = MkMethodAccessNode(call) and name = call.getName().toLowerCase()
+      |
         pred = getForwardEndNode(getALocalSourceStrict(call.getQualifier()))
       )
     }

diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll
@@ -440,6 +440,11 @@ private module FunctionSynth {
         n = TFunctionSynth(fundefStmt, _) and
         result = fundefStmt.getLocation()
       )
+      or
+      exists(Raw::TopLevelScriptBlock topLevelScriptBlock |
+        n = TTopLevelFunction(topLevelScriptBlock) and
+        result = topLevelScriptBlock.getLocation()
+      )
     }
   }
 }

diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -1061,6 +1061,20 @@ module ExprNodes {
 
     ExprCfgNode getAnOperand() { e.hasCfgChild(e.getAnOperand(), this, result) }
   }
+
+  private class AutomaticVariableChildMapping extends ExprChildMapping, AutomaticVariable {
+    override predicate relevantChild(Ast child) { none() }
+  }
+
+  class AutomaticVariableCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "AutomaticVariableCfgNode" }
+
+    override AutomaticVariableChildMapping e;
+
+    override AutomaticVariable getExpr() { result = e }
+
+    string getName() { result = e.getName() }
+  }
 }
 
 module StmtNodes {

diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -555,3 +555,12 @@ class QualifiedTypeNameNode extends TypeNameNode {
 
   final override CfgNodes::ExprNodes::QualifiedTypeNameExprCfgNode getExprNode() { result = n }
 }
+
+/** A use of an automatic variable, viewed as a node in a data flow graph. */
+class AutomaticVariableNode extends ExprNode {
+  override CfgNodes::ExprNodes::AutomaticVariableCfgNode n;
+
+  final override CfgNodes::ExprNodes::AutomaticVariableCfgNode getExprNode() { result = n }
+
+  string getName() { result = n.getName() }
+}