PS: Fix false positive by adding a type-based sanitizer.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/security/Sanitizers.qll

@@ -0,0 +1,14 @@
+private import powershell
+private import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * A dataflow node that is guarenteed to have a "simple" type.
+ *
+ * Simple types include integers, floats, characters, booleans, and `datetime`.
+ */
+class SimpleTypeSanitizer extends DataFlow::Node {
+  SimpleTypeSanitizer() {
+    this.asParameter().getStaticType() =
+      ["int32", "int64", "single", "double", "decimal", "char", "boolean", "datetime"]
+  }
+}

powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll

@@ -8,6 +8,7 @@ private import semmle.code.powershell.dataflow.DataFlow
 import semmle.code.powershell.ApiGraphs
 private import semmle.code.powershell.dataflow.flowsources.FlowSources
 private import semmle.code.powershell.Cfg
+private import semmle.code.powershell.security.Sanitizers
 
 module SqlInjection {
   /**
@@ -99,4 +100,6 @@ module SqlInjection {
 
     override string getSinkType() { result = "call to sqlcmd" }
   }
+
+  class TypeSanitizer extends Sanitizer instanceof SimpleTypeSanitizer { }
 }

powershell/ql/test/query-tests/security/cwe-089/test.ps1

@@ -82,28 +82,28 @@ Invoke-Sqlcmd @QueryConn2 # BAD
 
 function TakesTypedParameters([int]$i, [long]$l, [float]$f, [double]$d, [decimal]$dec, [char]$c, [bool]$b, [datetime]$dt) {
     $query1 = "SELECT * FROM MyTable WHERE MyColumn = '$i'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query1 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query1 # GOOD
 
     $query2 = "SELECT * FROM MyTable WHERE MyColumn = '$l'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query2 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query2 # GOOD
 
     $query3 = "SELECT * FROM MyTable WHERE MyColumn = '$f'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query3 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query3 # GOOD
 
     $query4 = "SELECT * FROM MyTable WHERE MyColumn = '$d'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query4 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query4 # GOOD
 
     $query5 = "SELECT * FROM MyTable WHERE MyColumn = '$dec'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query5 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query5 # GOOD
 
     $query6 = "SELECT * FROM MyTable WHERE MyColumn = '$c'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query6 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query6 # GOOD
 
     $query7 = "SELECT * FROM MyTable WHERE MyColumn = '$b'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query7 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query7 # GOOD
 
     $query8 = "SELECT * FROM MyTable WHERE MyColumn = '$dt'"
-    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query8 # GOOD [FALSE POSITIVE]
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query8 # GOOD
 }
 
 TakesTypedParameters $userinput $userinput $userinput $userinput $userinput $userinput $userinput $userinput