PS: Add dot sourcing as a sink.

MathiasVP · MathiasVP · commit 205d2e58ff28 · 2025-07-16T14:33:01.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Command.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Command.qll
@@ -83,7 +83,7 @@ class CallOperator extends CmdCall {
 class DotSourcingOperator extends CmdCall {
   DotSourcingOperator() { getRawAst(this) instanceof Raw::DotSourcingOperator }
 
-  Expr getPath() { result = this.getCallee() }
+  Expr getCommand() { result = this.getCallee() }
 }
 
 class JoinPath extends CmdCall {
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -608,6 +608,21 @@ module ExprNodes {
     ExprCfgNode getCommand() { result = this.getCallee() }
   }
 
+  private class DotSourcingOperatorChildMapping extends CallExprChildMapping instanceof DotSourcingOperator
+  {
+    override predicate relevantChild(Ast child) { super.relevantChild(child) }
+  }
+
+  class DotSourcingOperatorCfgNode extends CallExprCfgNode {
+    override string getAPrimaryQlClass() { result = "DotSourcingOperatorCfgNode" }
+
+    override DotSourcingOperatorChildMapping e;
+
+    override DotSourcingOperator getExpr() { result = e }
+
+    ExprCfgNode getCommand() { result = this.getCallee() }
+  }
+
   private class ToStringCallChildmapping extends CallExprChildMapping instanceof ToStringCall {
     override predicate relevantChild(Ast child) { super.relevantChild(child) }
   }
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -544,7 +544,14 @@ class CallNode extends ExprNode {
 class CallOperatorNode extends CallNode {
   override CfgNodes::ExprNodes::CallOperatorCfgNode call;
 
-  Node getCommand() { result.asExpr() = call.getCommand() } // TODO: Alternatively, we could remap calls to & as command expressions.
+  Node getCommand() { result.asExpr() = call.getCommand() }
+}
+
+/** A call to operator `.`, viewed as a node in a data flow graph. */
+class DotSourcingOperatorNode extends CallNode {
+  override CfgNodes::ExprNodes::DotSourcingOperatorCfgNode call;
+
+  Node getCommand() { result.asExpr() = call.getCommand() }
 }
 
 /**
diff --git a/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
@@ -46,8 +46,10 @@ module CommandInjection {
         call.getAnArgument() = this
       )
       or
-      // Or the call command itself in case it's a use of operator &.
+      // Or the call command itself in case it's a use of "operator &" or "operator .".
       any(DataFlow::CallOperatorNode call).getCommand() = this
+      or
+      any(DataFlow::DotSourcingOperatorNode call).getCommand() = this
     }
 
     override string getSinkType() { result = "call to Invoke-Expression" }

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ class CallOperator extends CmdCall {`
`83`	`83`	`class DotSourcingOperator extends CmdCall {`
`84`	`84`	`DotSourcingOperator() { getRawAst(this) instanceof Raw::DotSourcingOperator }`
`85`	`85`
`86`		`- Expr getPath() { result = this.getCallee() }`
	`86`	`+ Expr getCommand() { result = this.getCallee() }`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`class JoinPath extends CmdCall {`
Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,10 @@ module CommandInjection {`
`46`	`46`	`call.getAnArgument() = this`
`47`	`47`	`)`
`48`	`48`	`or`
`49`		`- // Or the call command itself in case it's a use of operator &.`
	`49`	`+ // Or the call command itself in case it's a use of "operator &" or "operator .".`
`50`	`50`	`any(DataFlow::CallOperatorNode call).getCommand() = this`
	`51`	`+ or`
	`52`	`+ any(DataFlow::DotSourcingOperatorNode call).getCommand() = this`
`51`	`53`	`}`
`52`	`54`
`53`	`55`	`override string getSinkType() { result = "call to Invoke-Expression" }`