GitHubSecurityLab · GeekMasher · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/ql/lib/codeql/bicep/AST.qll b/ql/lib/codeql/bicep/AST.qll
@@ -9,3 +9,4 @@ import ast.Misc
 import ast.Idents
 import ast.Variables
 import ast.Resources
+import ast.Types
diff --git a/ql/lib/codeql/bicep/ast/Calls.qll b/ql/lib/codeql/bicep/ast/Calls.qll
@@ -3,6 +3,7 @@ private import Expr
 private import Stmts
 private import Idents
 private import Misc
+private import Types
 private import internal.Calls
 private import internal.CallExpression
 private import internal.LambdaExpression

diff --git a/ql/lib/codeql/bicep/ast/Conditionals.qll b/ql/lib/codeql/bicep/ast/Conditionals.qll
@@ -5,6 +5,7 @@
 private import Expr
 private import Stmts
 private import internal.Conditionals
+private import internal.IfStatement
 
 
  class Conditionals extends Stmts instanceof ConditionalsImpl {
@@ -24,4 +25,34 @@ private import internal.Conditionals
    * this branch is selected in a switch/match statement.
    */
   StmtSequence getBranch() { result = ConditionalsImpl.super.getBranch() }
+}
+
+
+/**
+ * An if statement in the AST.
+ * 
+ * Represents a conditional statement in Bicep that executes certain code
+ * only when a specific condition is true. If statements enable conditional
+ * resource creation or property setting based on input parameters or other factors.
+ */
+class IfStatement extends Stmts instanceof IfStatementImpl { 
+  /** 
+   * Gets the condition of the if statement.
+   * 
+   * This is the expression that is evaluated to determine whether
+   * the body of the if statement should be executed.
+   * 
+   * @return The condition expression
+   */
+  Expr getCondition() { result = IfStatementImpl.super.getCondition() }
+
+  /** 
+   * Gets the body of the if statement.
+   * 
+   * This is the expression or block that will be executed if the
+   * condition evaluates to true.
+   * 
+   * @return The body expression
+   */
+  Expr getBody() { result = IfStatementImpl.super.getBody() }
 }
diff --git a/ql/lib/codeql/bicep/ast/Idents.qll b/ql/lib/codeql/bicep/ast/Idents.qll
@@ -3,6 +3,7 @@ private import Expr
 private import internal.Idents
 private import internal.Identifier
 private import internal.PropertyIdentifier
+private import internal.CompatibleIdentifier
 
 /**
  * The base class for all identifiers in the AST.
@@ -42,6 +43,15 @@ class Identifier extends Idents instanceof IdentifierImpl {
  * Represents the name part of a property in an object literal. For example,
  * in the property `name: 'example'`, `name` is represented by a PropertyIdentifier.
  * Property identifiers are used as keys in object literals.
+ * 
+ * In Bicep, property identifiers appear in object literals and resource declarations:
+ * 
+ * ```bicep
+ * var myObject = {
+ *   name: 'value',  // 'name' is a PropertyIdentifier
+ *   type: 'string'  // 'type' is a PropertyIdentifier
+ * }
+ * ```
  */
 class PropertyIdentifier extends Idents instanceof PropertyIdentifierImpl {
     /**
@@ -51,3 +61,26 @@ class PropertyIdentifier extends Idents instanceof PropertyIdentifierImpl {
      */
     override string getName() { result = PropertyIdentifierImpl.super.getName() }
 }
+
+/**
+ * A compatible identifier in the AST.
+ * 
+ * Represents an identifier that is compatible with certain naming conventions.
+ * Compatible identifiers are often used when a standard identifier is needed
+ * in contexts that have specific compatibility requirements.
+ */
+class CompatibleIdentifier extends Idents instanceof CompatibleIdentifierImpl {
+    /**
+     * Gets the name of this compatible identifier as a string.
+     * 
+     * @return The name of this compatible identifier
+     */
+    override string getName() { result = CompatibleIdentifierImpl.super.getName() }
+
+    /**
+     * Gets the underlying identifier.
+     * 
+     * @return The underlying identifier
+     */
+    Identifier getIdentifier() { result = CompatibleIdentifierImpl.super.getIdentifier() }
+}
diff --git a/ql/lib/codeql/bicep/ast/Misc.qll b/ql/lib/codeql/bicep/ast/Misc.qll
@@ -1,41 +1,19 @@
 private import AstNodes
 private import internal.Array
-private import internal.ArrayType
 private import internal.Boolean
-private import internal.CompatibleIdentifier
 private import internal.Decorator
 private import internal.Decorators
 private import internal.DiagnosticComment
 private import internal.EscapeSequence
 private import internal.ForLoopParameters
-private import internal.Identifier
 private import internal.ImportFunctionality
 private import internal.LoopEnumerator
 private import internal.LoopVariable
 private import internal.MetadataDeclaration
 private import internal.ModuleDeclaration
-private import internal.NegatedType
 private import internal.ObjectProperty
-private import internal.ParameterizedType
-private import internal.ParenthesizedType
-private import internal.PrimitiveType
-private import internal.PropertyIdentifier
 private import internal.TargetScopeAssignment
 private import internal.TestBlock
-private import internal.Type
-private import internal.TypeArguments
-private import internal.TypeDeclaration
-private import internal.UnionType
-
-/**
- *  A ArrayType unknown AST node.
- */
-class ArrayType extends AstNode instanceof ArrayTypeImpl { }
-
-/**
- *  A CompatibleIdentifier unknown AST node.
- */
-class CompatibleIdentifier extends AstNode instanceof CompatibleIdentifierImpl { }
 
 /**
  *  A Decorator unknown AST node.
@@ -87,26 +65,6 @@ class MetadataDeclaration extends AstNode instanceof MetadataDeclarationImpl { }
  */
 class ModuleDeclaration extends AstNode instanceof ModuleDeclarationImpl { }
 
-/**
- *  A NegatedType unknown AST node.
- */
-class NegatedType extends AstNode instanceof NegatedTypeImpl { }
-
-/**
- *  A ParameterizedType unknown AST node.
- */
-class ParameterizedType extends AstNode instanceof ParameterizedTypeImpl { }
-
-/**
- *  A ParenthesizedType unknown AST node.
- */
-class ParenthesizedType extends AstNode instanceof ParenthesizedTypeImpl { }
-
-/**
- *  A PrimitiveType unknown AST node.
- */
-class PrimitiveType extends AstNode instanceof PrimitiveTypeImpl { }
-
 /**
  *  A TargetScopeAssignment unknown AST node.
  */
@@ -116,38 +74,3 @@ class TargetScopeAssignment extends AstNode instanceof TargetScopeAssignmentImpl
  *  A TestBlock unknown AST node.
  */
 class TestBlock extends AstNode instanceof TestBlockImpl { }
-
-/**
- * A type node in the AST.
- * 
- * This class represents all type annotations in Bicep, including primitive types
- * (like string, int, bool), complex types (like arrays, objects), and user-defined
- * types. Types are used in parameter declarations, variable declarations, function
- * return types, and other contexts to specify the kind of values that are expected.
- */
-class Type extends AstNode instanceof TypeImpl {
-  /**
-   * Gets the name of this type as a string.
-   * 
-   * For primitive types, this will be the name of the type (e.g., "string", "int").
-   * For complex types, this will be a representation of the type structure.
-   * 
-   * @return The type name or representation as a string
-   */
-  string getType() { result = TypeImpl.super.getType() }
-}
-
-/**
- *  A TypeArguments unknown AST node.
- */
-class TypeArguments extends AstNode instanceof TypeArgumentsImpl { }
-
-/**
- *  A TypeDeclaration unknown AST node.
- */
-class TypeDeclaration extends AstNode instanceof TypeDeclarationImpl { }
-
-/**
- *  A UnionType unknown AST node.
- */
-class UnionType extends AstNode instanceof UnionTypeImpl { }
diff --git a/ql/lib/codeql/bicep/ast/Stmts.qll b/ql/lib/codeql/bicep/ast/Stmts.qll
@@ -7,6 +7,7 @@ private import Idents
 private import Expr
 private import Calls
 private import Misc
+private import Types
 private import internal.AstNodes
 private import internal.TreeSitter
 private import internal.Stmts
@@ -52,6 +53,8 @@ class Stmts extends AstNode instanceof StmtsImpl {
    * @return A control-flow entry node for this statement
    */
   AstNode getAControlFlowEntryNode() { result = CfgImpl::getAControlFlowEntryNode(this) }
+
+  Expr getExpr() { result = StmtsImpl.super.getExpr() }
 }
 
 /**
@@ -102,45 +105,8 @@ class StmtSequence extends AstNode instanceof StmtSequenceImpl {
  * and raises an error if the condition is false. Assert statements are
  * useful for validating assumptions and ensuring inputs meet expected criteria.
  */
-final class AssertStatementStmt extends Stmts instanceof AssertStatementImpl { }
-
-/**
- * A for statement in the AST.
- * 
- * Represents a for loop in Bicep, which iterates over a collection of items.
- * For loops are commonly used for creating multiple instances of resources
- * or for processing arrays of configuration data.
- */
-final class ForStatementStmt extends Stmts instanceof ForStatementImpl { }
-
-/**
- * An if statement in the AST.
- * 
- * Represents a conditional statement in Bicep that executes certain code
- * only when a specific condition is true. If statements enable conditional
- * resource creation or property setting based on input parameters or other factors.
- */
-class IfStatement extends Stmts instanceof IfStatementImpl { 
-  /** 
-   * Gets the condition of the if statement.
-   * 
-   * This is the expression that is evaluated to determine whether
-   * the body of the if statement should be executed.
-   * 
-   * @return The condition expression
-   */
-  Expr getCondition() { result = IfStatementImpl.super.getCondition() }
+class AssertStatement extends Stmts instanceof AssertStatementImpl { }
 
-  /** 
-   * Gets the body of the if statement.
-   * 
-   * This is the expression or block that will be executed if the
-   * condition evaluates to true.
-   * 
-   * @return The body expression
-   */
-  Expr getBody() { result = IfStatementImpl.super.getBody() }
-}
 
 /**
  * An import statement in the AST.
@@ -149,7 +115,7 @@ class IfStatement extends Stmts instanceof IfStatementImpl {
  * namespaces, or resources into the current scope. Import statements enable
  * code reuse and modularization of Bicep templates.
  */
-final class ImportStatementStmt extends Stmts instanceof ImportStatementImpl { }
+class ImportStatement extends Stmts instanceof ImportStatementImpl { }
 
 /**
  * An infrastructure node in the AST.
@@ -322,7 +288,7 @@ class Parameters extends Expr instanceof ParametersImpl {
  * Import-with statements allow importing external modules with specific settings
  * or transformations applied to the imported items.
  */
-final class ImportWithStatementStmt extends Stmts instanceof ImportWithStatementImpl { }
+class ImportWithStatement extends Stmts instanceof ImportWithStatementImpl { }
 
 /**
  * A using statement in the AST.
@@ -331,4 +297,4 @@ final class ImportWithStatementStmt extends Stmts instanceof ImportWithStatement
  * an imported module or namespace. Using statements help improve readability
  * by allowing shorter references to external resources.
  */
-final class UsingStatementStmt extends Stmts instanceof UsingStatementImpl { }
+class UsingStatement extends Stmts instanceof UsingStatementImpl { }