diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll index e530778900e6..f5e58cf80b07 100644 --- a/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll +++ b/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll @@ -21,3 +21,8 @@ class FunctionBase extends Ast, TFunctionBase { final int getNumberOfParameters() { result = count(this.getAParameter()) } } + +/** + * The implicit function that represents the entire script block in a file. + */ +class TopLevelFunction extends FunctionBase, TTopLevelFunction { } diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll index f504942e05ad..b6634ad7dc0c 100644 --- a/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll +++ b/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll @@ -675,8 +675,11 @@ private module LiteralSynth { s = "null" and child = SynthChild(NullLiteralKind()) or - Raw::isEnvVariableAccess(va, s) and - child = SynthChild(EnvVariableKind(s)) + exists(string s0 | + s = "env:" + s0 and + Raw::isEnvVariableAccess(va, s0) and + child = SynthChild(EnvVariableKind(s0)) + ) or isAutomaticVariableAccess(va, s) and child = SynthChild(AutomaticVariableKind(s)) diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll index d0e2e2601fbd..178f5f81c69c 100644 --- a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll +++ b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll @@ -59,7 +59,7 @@ private class ExternalCommandLineArgumentSource extends CommandLineArgumentSourc * A data flow source that represents the parameters of the `Main` method of a program. */ private class MainMethodArgumentSource extends CommandLineArgumentSource { - MainMethodArgumentSource() { this.asParameter().getParent() instanceof TopLevelScriptBlock } + MainMethodArgumentSource() { this.asParameter().getFunction() instanceof TopLevelFunction } } /** diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/SystemConsole/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/SystemConsole/model.yml deleted file mode 100644 index 06c24dbe5843..000000000000 --- a/powershell/ql/lib/semmle/code/powershell/frameworks/SystemConsole/model.yml +++ /dev/null @@ -1,8 +0,0 @@ -extensions: - - addsTo: - pack: microsoft-sdl/powershell-all - extensible: sourceModel - data: - - ["system.console", "Method[Read].ReturnValue", "stdin"] - - ["system.console", "Method[ReadKey].ReturnValue", "stdin"] - - ["system.console", "Method[ReadLine].ReturnValue", "stdin"] \ No newline at end of file diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected index e217064d1dfc..144255ccc3c0 100644 --- a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected +++ b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected @@ -1,4 +1,12 @@ edges +| test.ps1:1:8:1:9 | x | test.ps1:3:28:3:47 | Get-Process -Id $x | provenance | | +| test.ps1:5:10:5:20 | my_var | test.ps1:7:3:7:19 | $code --enabled | provenance | | nodes +| test.ps1:1:8:1:9 | x | semmle.label | x | +| test.ps1:3:28:3:47 | Get-Process -Id $x | semmle.label | Get-Process -Id $x | +| test.ps1:5:10:5:20 | my_var | semmle.label | my_var | +| test.ps1:7:3:7:19 | $code --enabled | semmle.label | $code --enabled | subpaths #select +| test.ps1:3:28:3:47 | Get-Process -Id $x | test.ps1:1:8:1:9 | x | test.ps1:3:28:3:47 | Get-Process -Id $x | This command depends on a $@. | test.ps1:1:8:1:9 | x | user-provided value | +| test.ps1:7:3:7:19 | $code --enabled | test.ps1:5:10:5:20 | my_var | test.ps1:7:3:7:19 | $code --enabled | This command depends on a $@. | test.ps1:5:10:5:20 | my_var | user-provided value |