C++: Use guard.controls.

geoffw0 · geoffw0 · commit 4b221bd9642e · 2021-11-30T15:44:48.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
@@ -55,32 +55,30 @@ predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode
 predicate certIsZero(
   SSLGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
 ) {
-  exists(GuardCondition guard, Expr cert |
-    cert = globalValueNumber(getCertCall).getAnExpr() and
-    (
-      exists(Expr zero |
-        zero.getValue().toInt() = 0 and
-        node1 = guard and
-        (
-          // if (cert == zero) {
-          guard.comparesEq(cert, zero, 0, true, true) and
-          node2 = guard.getATrueSuccessor()
-          or
-          // if (cert != zero) { }
-          guard.comparesEq(cert, zero, 0, false, true) and
-          node2 = guard.getAFalseSuccessor()
-        )
+  exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
+    exists(GuardCondition guard, Expr zero |
+      zero.getValue().toInt() = 0 and
+      node1 = guard and
+      (
+        // if (cert == zero) {
+        guard.comparesEq(cert, zero, 0, true, true) and
+        node2 = guard.getATrueSuccessor()
+        or
+        // if (cert != zero) { }
+        guard.comparesEq(cert, zero, 0, false, true) and
+        node2 = guard.getAFalseSuccessor()
       )
-      or
+    )
+    or
+    (
       // if (cert) { }
-      guard = cert and
-      node1 = guard and
-      node2 = guard.getAFalseSuccessor()
+      node1 = cert
       or
       // if (!cert) {
-      node1 = guard.getParent() and
-      node2 = guard.getParent().(NotExpr).getATrueSuccessor()
-    )
+      node1.(NotExpr).getAChild() = cert
+    ) and
+    node2 = node1.getASuccessor() and
+    not cert.(GuardCondition).controls(node2, true) // cert may be false
   )
 }
 
