PS: Add reads of environment variables as local flow sources.

powershell/ql/lib/semmle/code/powershell/Variable.qll

@@ -273,6 +273,21 @@ class LocalVariable extends AbstractLocalScopeVariable, TLocalVariable {
   final override Scope getDeclaringScope() { result = scope }
 }
 
+/**
+ * A variable of the form `$Env:HOME`.
+ */
+class EnvVariable extends Variable {
+  string var;
+
+  EnvVariable() { this.getName() = ["env:", "Env:"] + var }
+
+  /**
+   * Gets the part of the variable name that represens which environment
+   * variable.
+   */
+  string getEnvironmentVariable() { result = var }
+}
+
 class Parameter extends AbstractLocalScopeVariable, TParameter {
   ParameterImpl p;
 

powershell/ql/lib/semmle/code/powershell/VariableExpression.qll

@@ -48,3 +48,12 @@ class VarWriteAccess extends VarAccess {
 
   predicate isImplicit() { isImplicitVariableWriteAccess(this) }
 }
+
+/** An access to an environment variable such as `$Env:PATH` */
+class EnvVarAccess extends VarAccess {
+  EnvVarAccess() { super.getVariable() instanceof EnvVariable }
+
+  override EnvVariable getVariable() { result = super.getVariable() }
+
+  string getEnvironmentVariable() { result = this.getVariable().getEnvironmentVariable() }
+}

powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll

@@ -30,6 +30,12 @@ abstract class EnvironmentVariableSource extends LocalFlowSource {
   override string getSourceType() { result = "environment variable" }
 }
 
+private class EnvironmentVariableEnv extends EnvironmentVariableSource {
+  EnvironmentVariableEnv() {
+    this.asExpr().getExpr().(VarReadAccess).getVariable() instanceof EnvVariable
+  }
+}
+
 private class ExternalEnvironmentVariableSource extends EnvironmentVariableSource {
   ExternalEnvironmentVariableSource() {
     this = ModelOutput::getASourceNode("environment", _).asSource()