C++: Use 'asIndirectExpr' in the sink of 'ExistsAnyFlowConfig.

MathiasVP · MathiasVP · commit 1330c885c8ce · 2024-03-20T18:04:59.000Z
diff --git a/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql b/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
@@ -12,34 +12,42 @@
 import cpp
 import semmle.code.cpp.security.boostorg.asio.protocols
 
+predicate isSourceImpl(DataFlow::Node source, ConstructorCall cc) {
+  exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = cc and cc = source.asExpr())
+}
+
+predicate isSinkImpl(DataFlow::Node sink, FunctionCall fcSetOptions) {
+  exists(BoostorgAsio::SslSetOptionsFunction f |
+    f.getACallToThisFunction() = fcSetOptions and
+    fcSetOptions.getQualifier() = sink.asIndirectExpr()
+  )
+}
+
 module ExistsAnyFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = source.asExpr())
-  }
+  predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
 
-  predicate isSink(DataFlow::Node sink) {
-    exists(BoostorgAsio::SslSetOptionsFunction f, FunctionCall fcSetOptions |
-      f.getACallToThisFunction() = fcSetOptions and
-      fcSetOptions.getQualifier() = sink.asExpr()
-    )
-  }
+  predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
 }
 
 module ExistsAnyFlow = DataFlow::Global<ExistsAnyFlowConfig>;
 
 bindingset[flag]
 predicate isOptionSet(ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
-  exists(VariableAccess contextSetOptions |
-    ExistsAnyFlow::flow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
-    exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
-      contextSetOptions = fcSetOptions.getQualifier() and
-      forall(Expr optionArgument, Expr optionArgumentSource |
-        optionArgument = fcSetOptions.getArgument(0) and
-        BoostorgAsio::SslOptionFlow::flow(DataFlow::exprNode(optionArgumentSource),
-          DataFlow::exprNode(optionArgument))
-      |
-        optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
-      )
+  exists(
+    VariableAccess contextSetOptions, BoostorgAsio::SslSetOptionsFunction f, DataFlow::Node source,
+    DataFlow::Node sink
+  |
+    isSourceImpl(source, cc) and
+    isSinkImpl(sink, fcSetOptions) and
+    ExistsAnyFlow::flow(source, sink) and
+    f.getACallToThisFunction() = fcSetOptions and
+    contextSetOptions = fcSetOptions.getQualifier() and
+    forall(Expr optionArgument, Expr optionArgumentSource |
+      optionArgument = fcSetOptions.getArgument(0) and
+      BoostorgAsio::SslOptionFlow::flow(DataFlow::exprNode(optionArgumentSource),
+        DataFlow::exprNode(optionArgument))
+    |
+      optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
     )
   )
 }
