InvokeSink fix #246
InvokeSink fix #246
Conversation
| exists(InvokeMemberExpr ie | | ||
| this.asExpr().getExpr() = ie.getCallee() or | ||
| this.asExpr().getExpr() = ie.getQualifier().getAChild*() | ||
| ) | ||
| this.asExpr().getExpr() = ie.getCallee() or | ||
| this.asExpr().getExpr() = ie.getQualifier() | ||
| ) |
There was a problem hiding this comment.
Note that InvokeMemberExpr doesn't just cover calls to Invoke. InvokeMember is the name for any call to a member method. So we would still alert on stuff like:
$x = Source
$x.SubString(...)
since there's taint-flow from Source to the qualifier of a method call. So I think we should still have some constraint like ie.getAName() = "Invoke", right?
Also: Should we call InvokeMemberExpr something else to not confuse future us? The name is just taken from the PowerShell AST documentation, but it's a rather non-standard name. Should we call it MethodCall or something instead?
There was a problem hiding this comment.
These are the cases I'm trying to cover:
(Get-Process -Id $pid).$UserInput()
(Get-Process -Id $pid).$UserInput.Invoke()
First one by .getCallee, second previously by the .getQualifier.getAChild() , since .getQualifier returned the whole "(Get-Process -Id $pid).$UserInput" as an Expr
I don't mind keeping the second case a FN for now, but would
class InvokeSink extends Sink {
InvokeSink() {
exists(InvokeMemberExpr ie |
this.asExpr().getExpr() = ie.getCallee()
)
still have the issue?
There was a problem hiding this comment.
I do like MethodCall but that's because I'm a regular citizen of csharp query authoring land
More restricted definition
TODO: figure out this case: