microsoft · chanel-y · Apr 16, 2025 · Apr 10, 2025 · Apr 10, 2025 · Apr 10, 2025
diff --git a/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll b/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll
@@ -152,6 +152,16 @@ module API {
     pragma[inline_late]
     Node getReturn() { Impl::returnEdge(this.getAnEpsilonSuccessor(), result) }
 
+    /**
+     * Gets the result of this call when there is a named argument with the
+     * name `name`, or the return value of this callable.
+     */
+    bindingset[this]
+    pragma[inline_late]
+    Node getReturnWithArg(string name) {
+      Impl::returnEdgeWithArg(this.getAnEpsilonSuccessor(), name, result)
+    }
+
     /**
      * Gets the result of a call to `method` with this value as the receiver, or the return value of `method` defined on
      * an object that can reach this sink.
@@ -695,6 +705,21 @@ module API {
       )
     }
 
+    cached
+    predicate returnEdgeWithArg(Node pred, string arg, Node succ) {
+      exists(DataFlow::CallNode call |
+        pred = MkMethodAccessNode(call) and
+        exists(call.getNamedArgument(arg)) and
+        succ = getForwardStartNode(call)
+      )
+      or
+      arg = "" and // TODO
+      exists(DataFlow::CallableNode callable |
+        pred = getBackwardEndNode(callable) and
+        succ = MkSinkNode(callable.getAReturnNode())
+      )
+    }
+
     cached
     predicate entryPointEdge(EntryPoint entry, Node node) {
       node = MkSinkNode(entry.getASink()) or

diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/FlowSources.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/FlowSources.qll
@@ -2,6 +2,7 @@
 private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
 import semmle.code.powershell.dataflow.flowsources.Remote
 import semmle.code.powershell.dataflow.flowsources.Local
+import semmle.code.powershell.dataflow.flowsources.Stored
 import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
 
 /**

diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll
@@ -6,16 +6,18 @@
 private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
 // Need to import since frameworks can extend `RemoteFlowSource::Range`
 private import semmle.code.powershell.Frameworks
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
 
 /**
  * A data flow source of remote user input.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RemoteFlowSource::Range` instead.
  */
-class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range {
-  /** Gets a string that describes the type of this remote flow source. */
-  string getSourceType() { result = super.getSourceType() }
+class RemoteFlowSource extends SourceNode instanceof RemoteFlowSource::Range {
+  override string getSourceType() { result = "remote flow source" }
+
+  override string getThreatModel() { result = "remote" }
 }
 
 /** Provides a class for modeling new sources of remote user input. */
@@ -31,3 +33,9 @@ module RemoteFlowSource {
     abstract string getSourceType();
   }
 }
+
+private class ExternalRemoteFlowSource extends RemoteFlowSource::Range {
+  ExternalRemoteFlowSource() { this = ModelOutput::getASourceNode("remote", _).asSource() }
+
+  override string getSourceType() { result = "remote flow" }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Stored.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Stored.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes representing sources of stored data.
+ */
+
+import powershell
+private import FlowSources
+
+/** A data flow source of stored user input. */
+abstract class StoredFlowSource extends SourceNode {
+  override string getThreatModel() { result = "local" }
+}
+
+/**
+ * A node with input from a database.
+ */
+abstract class DatabaseInputSource extends StoredFlowSource {
+  override string getThreatModel() { result = "database" }
+
+  override string getSourceType() { result = "database input" }
+}
+
+private class ExternalDatabaseInputSource extends DatabaseInputSource {
+  ExternalDatabaseInputSource() { this = ModelOutput::getASourceNode("database", _).asSource() }
+}
+
+/** A file stream source is considered a stored flow source. */
+abstract class FileStreamStoredFlowSource extends StoredFlowSource {
+  override string getThreatModel() { result = "file" }
+
+  override string getSourceType() { result = "file stream" }
+}
+
+private class ExternalFileStreamStoredFlowSource extends FileStreamStoredFlowSource {
+  ExternalFileStreamStoredFlowSource() { this = ModelOutput::getASourceNode("file", _).asSource() }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/Accessibility/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/Accessibility/model.yml
@@ -3,25 +3,25 @@ extensions:
       pack: microsoft-sdl/powershell-all
       extensible: typeModel
     data:
-    - ["system.string", "accessibility.iaccessible", "Property[acchelp]"]
+    - ["system.string", "accessibility.iaccessible", "Member[acchelp]"]
     - ["system.object", "accessibility.iaccessible", "Method[acchittest].ReturnValue"]
-    - ["system.int32", "accessibility._remotablehandle", "Field[fcontext]"]
-    - ["system.int32", "accessibility.iaccessible", "Property[accchildcount]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accstate]"]
-    - ["accessibility.annoscope", "accessibility.annoscope!", "Field[anno_this]"]
-    - ["system.int32", "accessibility.__midl_iwintypes_0009", "Field[hremote]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accparent]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accrole]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accchild]"]
-    - ["system.string", "accessibility.iaccessible", "Property[acckeyboardshortcut]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accselection]"]
-    - ["system.int32", "accessibility.iaccessible", "Property[acchelptopic]"]
-    - ["system.string", "accessibility.iaccessible", "Property[accdescription]"]
-    - ["system.string", "accessibility.iaccessible", "Property[accdefaultaction]"]
-    - ["system.object", "accessibility.iaccessible", "Property[accfocus]"]
-    - ["accessibility.__midl_iwintypes_0009", "accessibility._remotablehandle", "Field[u]"]
-    - ["system.string", "accessibility.iaccessible", "Property[accvalue]"]
-    - ["system.int32", "accessibility.__midl_iwintypes_0009", "Field[hinproc]"]
-    - ["system.string", "accessibility.iaccessible", "Property[accname]"]
-    - ["accessibility.annoscope", "accessibility.annoscope!", "Field[anno_container]"]
+    - ["system.int32", "accessibility._remotablehandle", "Member[fcontext]"]
+    - ["system.int32", "accessibility.iaccessible", "Member[accchildcount]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accstate]"]
+    - ["accessibility.annoscope", "accessibility.annoscope!", "Member[anno_this]"]
+    - ["system.int32", "accessibility.__midl_iwintypes_0009", "Member[hremote]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accparent]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accrole]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accchild]"]
+    - ["system.string", "accessibility.iaccessible", "Member[acckeyboardshortcut]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accselection]"]
+    - ["system.int32", "accessibility.iaccessible", "Member[acchelptopic]"]
+    - ["system.string", "accessibility.iaccessible", "Member[accdescription]"]
+    - ["system.string", "accessibility.iaccessible", "Member[accdefaultaction]"]
+    - ["system.object", "accessibility.iaccessible", "Member[accfocus]"]
+    - ["accessibility.__midl_iwintypes_0009", "accessibility._remotablehandle", "Member[u]"]
+    - ["system.string", "accessibility.iaccessible", "Member[accvalue]"]
+    - ["system.int32", "accessibility.__midl_iwintypes_0009", "Member[hinproc]"]
+    - ["system.string", "accessibility.iaccessible", "Member[accname]"]
+    - ["accessibility.annoscope", "accessibility.annoscope!", "Member[anno_container]"]
     - ["system.object", "accessibility.iaccessible", "Method[accnavigate].ReturnValue"]
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/IEHostExecute/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/IEHostExecute/model.yml
@@ -4,6 +4,6 @@ extensions:
       extensible: typeModel
     data:
     - ["system.int32", "iehost.execute.ieexecuteremote", "Method[executeasdll].ReturnValue"]
-    - ["system.io.stream", "iehost.execute.ieexecuteremote", "Property[exception]"]
+    - ["system.io.stream", "iehost.execute.ieexecuteremote", "Member[exception]"]
     - ["system.object", "iehost.execute.ieexecuteremote", "Method[initializelifetimeservice].ReturnValue"]
     - ["system.int32", "iehost.execute.ieexecuteremote", "Method[executeasassembly].ReturnValue"]
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/MicrosoftActivitiesBuild/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/MicrosoftActivitiesBuild/model.yml
@@ -4,5 +4,5 @@ extensions:
       extensible: typeModel
     data:
     - ["system.boolean", "microsoft.activities.build.workflowbuildmessagetask", "Method[execute].ReturnValue"]
-    - ["system.string", "microsoft.activities.build.workflowbuildmessagetask", "Property[resourcename]"]
-    - ["system.string", "microsoft.activities.build.workflowbuildmessagetask", "Property[messagetype]"]
+    - ["system.string", "microsoft.activities.build.workflowbuildmessagetask", "Member[resourcename]"]
+    - ["system.string", "microsoft.activities.build.workflowbuildmessagetask", "Member[messagetype]"]
diff --git a/...ell/ql/lib/semmle/code/powershell/frameworks/MicrosoftActivitiesBuildValidation/model.yml b/...ell/ql/lib/semmle/code/powershell/frameworks/MicrosoftActivitiesBuildValidation/model.yml
@@ -4,6 +4,6 @@ extensions:
       extensible: typeModel
     data:
     - ["system.boolean", "microsoft.activities.build.validation.reportdeferredvalidationerrorstask", "Method[execute].ReturnValue"]
-    - ["system.string", "microsoft.activities.build.validation.deferredvalidationtask", "Property[deferredvalidationerrorsfilepath]"]
-    - ["system.string", "microsoft.activities.build.validation.reportdeferredvalidationerrorstask", "Property[deferredvalidationerrorsfilepath]"]
+    - ["system.string", "microsoft.activities.build.validation.deferredvalidationtask", "Member[deferredvalidationerrorsfilepath]"]
+    - ["system.string", "microsoft.activities.build.validation.reportdeferredvalidationerrorstask", "Member[deferredvalidationerrorsfilepath]"]
     - ["system.boolean", "microsoft.activities.build.validation.deferredvalidationtask", "Method[execute].ReturnValue"]
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/MicrosoftAspnetSnapin/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/MicrosoftAspnetSnapin/model.yml
@@ -4,30 +4,30 @@ extensions:
       extensible: typeModel
     data:
     - ["system.int32", "microsoft.aspnet.snapin.iextendpropertysheet2", "Method[createpropertypages].ReturnValue"]
-    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Field[toolbar]"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[mask]"]
+    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Member[toolbar]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[mask]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[enumdadvise].ReturnValue"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[cchildren]"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[lparam]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[cchildren]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[lparam]"]
     - ["system.int32", "microsoft.aspnet.snapin.iextendpropertysheet", "Method[querypagesfor].ReturnValue"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[relativeid]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[relativeid]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[dadvise].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[enumformatetc].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.iextendpropertysheet2", "Method[getwatermarks].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.icontextmenucallback", "Method[additem].ReturnValue"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[nopenimage]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[nopenimage]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[querygetdata].ReturnValue"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[id]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[id]"]
     - ["system.intptr", "microsoft.aspnet.snapin.aspnetmanagementutility!", "Method[getactivewindow].ReturnValue"]
-    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Field[comboboxbar]"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[nstate]"]
+    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Member[comboboxbar]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[nstate]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[setdata].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[getdata].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.iextendpropertysheet", "Method[createpropertypages].ReturnValue"]
-    - ["system.intptr", "microsoft.aspnet.snapin.scopedataitem", "Field[displayname]"]
+    - ["system.intptr", "microsoft.aspnet.snapin.scopedataitem", "Member[displayname]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[dunadvise].ReturnValue"]
-    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Field[nimage]"]
-    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Field[menubutton]"]
+    - ["system.int32", "microsoft.aspnet.snapin.scopedataitem", "Member[nimage]"]
+    - ["microsoft.aspnet.snapin.mmc_control_type", "microsoft.aspnet.snapin.mmc_control_type!", "Member[menubutton]"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[getdatahere].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.iextendpropertysheet2", "Method[querypagesfor].ReturnValue"]
     - ["system.int32", "microsoft.aspnet.snapin.idataobject", "Method[getcanonicalformatetc].ReturnValue"]