Merge branch 'main' of https://github.com/microsoft/codeql into auto/sync-main-pr

Author: dilanbhalla

powershell/ql/lib/semmle/code/powershell/ast/internal/Attribute.qll

@@ -1,7 +1,10 @@
 private import AstImport
 
 class Attribute extends AttributeBase, TAttribute {
-  string getName() { result = getRawAst(this).(Raw::Attribute).getName() }
+  string getLowerCaseName() { result = getRawAst(this).(Raw::Attribute).getName().toLowerCase() }
+
+  bindingset[result]
+  string getAName() { result.toLowerCase() = this.getLowerCaseName() }
 
   NamedAttributeArgument getNamedArgument(int i) {
     exists(ChildIndex index, Raw::Ast r | index = attributeNamedArg(i) and r = getRawAst(this) |
@@ -41,7 +44,7 @@ class Attribute extends AttributeBase, TAttribute {
     result = this.toStringSpecific()
     or
     not exists(this.toStringSpecific()) and
-    result = this.getName()
+    result = this.getLowerCaseName()
   }
 
   final override Ast getChild(ChildIndex i) {

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -180,6 +180,11 @@ class AttributeCfgNode extends AttributeBaseCfgNode {
   ExprCfgNode getPositionalArgument(int i) {
     attr.hasCfgChild(attr.getPositionalArgument(i), this, result)
   }
+
+  string getLowerCaseName() { result = attr.getLowerCaseName() }
+
+  bindingset[result]
+  string getAName() { result = attr.getAName() }
 }
 
 private class ScriptBlockChildMapping extends NonExprChildMapping, ScriptBlock {

powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll

@@ -240,7 +240,7 @@ module CommandInjection {
       exists(Function f, Attribute a, Parameter p |
         p = f.getAParameter() and
         p.getAnAttribute() = a and 
-        a.getName() = ["ValidateScript", "ValidateSet", "ValidatePattern"] and
+        a.getAName() = ["ValidateScript", "ValidateSet", "ValidatePattern"] and
         this.asParameter() = p
       )
     }

powershell/ql/src/queries/security/cwe-078/CommandInjectionCritical.ql

@@ -26,7 +26,7 @@ abstract class CriticalSource extends DataFlow::Node {
 class CmdletBindingParam extends CriticalSource {
     CmdletBindingParam(){
         exists(Attribute a, Function f | 
-            a.getName() = "CmdletBinding" and 
+            a.getAName() = "CmdletBinding" and 
             f = a.getEnclosingFunction() and 
             this.asParameter() = f.getAParameter()    
         )

powershell/ql/test/library-tests/ast/parent.expected

@@ -116,11 +116,11 @@
 | Arrays/Arrays.ps1:15:1:15:14 | [Stmt] Call to add | Arrays/Arrays.ps1:1:1:15:14 | {...} |
 | Arrays/Arrays.ps1:15:9:15:11 | Add | Arrays/Arrays.ps1:15:1:15:14 | Call to add |
 | Arrays/Arrays.ps1:15:13:15:13 | 1 | Arrays/Arrays.ps1:15:1:15:14 | Call to add |
-| Blocks/ParamBlock.ps1:1:1:1:17 | CmdletBinding | Blocks/ParamBlock.ps1:1:1:5:1 | {...} |
+| Blocks/ParamBlock.ps1:1:1:1:17 | cmdletbinding | Blocks/ParamBlock.ps1:1:1:5:1 | {...} |
 | Blocks/ParamBlock.ps1:1:1:5:1 | [synth] pipeline | Blocks/ParamBlock.ps1:1:1:5:1 | {...} |
 | Blocks/ParamBlock.ps1:1:1:5:1 | {...} | Blocks/ParamBlock.ps1:1:1:5:1 | toplevel function for ParamBlock.ps1 |
 | Blocks/ParamBlock.ps1:2:1:5:1 | {...} | Blocks/ParamBlock.ps1:1:1:5:1 | {...} |
-| Blocks/ParamBlock.ps1:3:5:3:17 | Parameter | Blocks/ParamBlock.ps1:3:5:4:22 | parameter |
+| Blocks/ParamBlock.ps1:3:5:3:17 | parameter | Blocks/ParamBlock.ps1:3:5:4:22 | parameter |
 | Blocks/ParamBlock.ps1:3:5:4:22 | parameter | Blocks/ParamBlock.ps1:1:1:5:1 | {...} |
 | Blocks/ParamBlock.ps1:4:5:4:12 | string | Blocks/ParamBlock.ps1:3:5:4:22 | parameter |
 | Dynamic/DynamicExecution.ps1:1:1:1:4 | foo | Dynamic/DynamicExecution.ps1:1:1:1:16 | ...=... |
@@ -420,7 +420,7 @@
 | Statements/UseProcessBlockForPipelineCommand.ps1:1:1:11:1 | {...} | Statements/UseProcessBlockForPipelineCommand.ps1:1:1:11:1 | toplevel function for UseProcessBlockForPipelineCommand.ps1 |
 | Statements/UseProcessBlockForPipelineCommand.ps1:1:1:11:1 | {...} | Statements/UseProcessBlockForPipelineCommand.ps1:1:1:11:1 | {...} |
 | Statements/UseProcessBlockForPipelineCommand.ps1:2:1:11:1 | {...} | Statements/UseProcessBlockForPipelineCommand.ps1:1:1:11:1 | Get-Number |
-| Statements/UseProcessBlockForPipelineCommand.ps1:3:5:3:21 | CmdletBinding | Statements/UseProcessBlockForPipelineCommand.ps1:2:1:11:1 | {...} |
+| Statements/UseProcessBlockForPipelineCommand.ps1:3:5:3:21 | cmdletbinding | Statements/UseProcessBlockForPipelineCommand.ps1:2:1:11:1 | {...} |
 | Statements/UseProcessBlockForPipelineCommand.ps1:4:5:10:11 | {...} | Statements/UseProcessBlockForPipelineCommand.ps1:2:1:11:1 | {...} |
 | Statements/UseProcessBlockForPipelineCommand.ps1:5:9:5:38 | ValueFromPipeline | Statements/UseProcessBlockForPipelineCommand.ps1:5:9:7:15 | number |
 | Statements/UseProcessBlockForPipelineCommand.ps1:5:9:7:15 | number | Statements/UseProcessBlockForPipelineCommand.ps1:2:1:11:1 | {...} |