PS: Add taint flow through all operations.

2026-05-25 00:27:09 +02:00 · 2024-10-17 16:38:27 +01:00
parent cd017db09f
commit d0febd7aae
1 changed files with 15 additions and 10 deletions
--- a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll
+++ b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll
@@ -33,17 +33,22 @@ private module Cached {
   */
  cached
  predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
-    // Although flow through collections is modeled precisely using stores/reads, we still
-    // allow flow out of a _tainted_ collection. This is needed in order to support taint-
-    // tracking configurations where the source is a collection.
-    exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
-      c.isSingleton(any(DataFlow::Content::ElementContent ec))
+    (
+      exists(CfgNodes::ExprNodes::OperationCfgNode op |
+        op = nodeTo.asExpr() and
+        op.getAnOperand() = nodeFrom.asExpr()
+      )
      or
-      c.isKnownOrUnknownElement(_)
-      // or
-      // TODO: We do't generate this one from readSteps yet, but we will as
-      // soon as we start on models-as-data.
-      // c.isAnyElement()
+      // Although flow through collections is modeled precisely using stores/reads, we still
+      // allow flow out of a _tainted_ collection. This is needed in order to support taint-
+      // tracking configurations where the source is a collection.
+      exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
+        c.isSingleton(any(DataFlow::Content::ElementContent ec))
+        or
+        c.isKnownOrUnknownElement(_)
+        or
+        c.isAnyElement()
+      )
    ) and
    model = ""
  }