C++: Clean up result not checked query.

geoffw0 · geoffw0 · commit 8abaf1247a3e · 2021-11-24T18:26:39.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
@@ -13,7 +13,6 @@
 
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-//import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.controlflow.IRGuards
 
 /**
@@ -24,7 +23,7 @@ class SSLGetPeerCertificateCall extends FunctionCall {
 		getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)
 	}
 
-	// TODO: getSSLArg?
+	Expr getSSLArgument() { result = getArgument(0) }
 }
 
 /**
@@ -34,6 +33,8 @@ class SSLGetVerifyResultCall extends FunctionCall {
 	SSLGetVerifyResultCall() {
 		getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)
 	}
+
+	Expr getSSLArgument() { result = getArgument(0) }
 }
 
 /**
@@ -42,8 +43,8 @@ class SSLGetVerifyResultCall extends FunctionCall {
  */
 predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
 	exists(Expr ssl, SSLGetVerifyResultCall check |
-		ssl = globalValueNumber(getCertCall.getArgument(0)).getAnExpr() and
-		ssl = check.getArgument(0) and
+		ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and
+		ssl = check.getSSLArgument() and
 		node = check
 	)
 }
@@ -61,20 +62,24 @@ predicate certIsZero(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node
 				node1 = guard and
 				(
 					(
-						guard.comparesEq(cert, zero, 0, true, true) and // if (cert == zero) {
+						// if (cert == zero) {
+						guard.comparesEq(cert, zero, 0, true, true) and
 						node2 = guard.getATrueSuccessor()
 					) or (
-						guard.comparesEq(cert, zero, 0, false, true) and // if (cert != zero) { }
+						// if (cert != zero) { }
+						guard.comparesEq(cert, zero, 0, false, true) and 
 						node2 = guard.getAFalseSuccessor()
 					)
 				)
 			) or (
-				guard = cert and // if (cert) { }
+				// if (cert) { }
+				guard = cert and
 				node1 = guard and
 				node2 = guard.getAFalseSuccessor()
 			) or (
+				// if (!cert) {
 				node1 = guard.getParent() and
-				node2 = guard.getParent().(NotExpr).getATrueSuccessor() // if (!cert) {
+				node2 = guard.getParent().(NotExpr).getATrueSuccessor()
 			)
 		)
 	)

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,6 @@`
`13`	`13`
`14`	`14`	`import cpp`
`15`	`15`	`import semmle.code.cpp.valuenumbering.GlobalValueNumbering`
`16`		`-//import semmle.code.cpp.controlflow.Guards`
`17`	`16`	`import semmle.code.cpp.controlflow.IRGuards`
`18`	`17`
`19`	`18`	`/**`
`@@ -24,7 +23,7 @@ class SSLGetPeerCertificateCall extends FunctionCall {`
`24`	`23`	`getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)`
`25`	`24`	`}`
`26`	`25`
`27`		`- // TODO: getSSLArg?`
	`26`	`+ Expr getSSLArgument() { result = getArgument(0) }`
`28`	`27`	`}`
`29`	`28`
`30`	`29`	`/**`
`@@ -34,6 +33,8 @@ class SSLGetVerifyResultCall extends FunctionCall {`
`34`	`33`	`SSLGetVerifyResultCall() {`
`35`	`34`	`getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)`
`36`	`35`	`}`
	`36`	`+`
	`37`	`+ Expr getSSLArgument() { result = getArgument(0) }`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`/**`
`@@ -42,8 +43,8 @@ class SSLGetVerifyResultCall extends FunctionCall {`
`42`	`43`	`*/`
`43`	`44`	`predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {`
`44`	`45`	`exists(Expr ssl, SSLGetVerifyResultCall check \|`
`45`		`- ssl = globalValueNumber(getCertCall.getArgument(0)).getAnExpr() and`
`46`		`- ssl = check.getArgument(0) and`
	`46`	`+ ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and`
	`47`	`+ ssl = check.getSSLArgument() and`
`47`	`48`	`node = check`
`48`	`49`	`)`
`49`	`50`	`}`
`@@ -61,20 +62,24 @@ predicate certIsZero(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node`
`61`	`62`	`node1 = guard and`
`62`	`63`	`(`
`63`	`64`	`(`
`64`		`- guard.comparesEq(cert, zero, 0, true, true) and // if (cert == zero) {`
	`65`	`+ // if (cert == zero) {`
	`66`	`+ guard.comparesEq(cert, zero, 0, true, true) and`
`65`	`67`	`node2 = guard.getATrueSuccessor()`
`66`	`68`	`) or (`
`67`		`- guard.comparesEq(cert, zero, 0, false, true) and // if (cert != zero) { }`
	`69`	`+ // if (cert != zero) { }`
	`70`	`+ guard.comparesEq(cert, zero, 0, false, true) and`
`68`	`71`	`node2 = guard.getAFalseSuccessor()`
`69`	`72`	`)`
`70`	`73`	`)`
`71`	`74`	`) or (`
`72`		`- guard = cert and // if (cert) { }`
	`75`	`+ // if (cert) { }`
	`76`	`+ guard = cert and`
`73`	`77`	`node1 = guard and`
`74`	`78`	`node2 = guard.getAFalseSuccessor()`
`75`	`79`	`) or (`
	`80`	`+ // if (!cert) {`
`76`	`81`	`node1 = guard.getParent() and`
`77`		`- node2 = guard.getParent().(NotExpr).getATrueSuccessor() // if (!cert) {`
	`82`	`+ node2 = guard.getParent().(NotExpr).getATrueSuccessor()`
`78`	`83`	`)`
`79`	`84`	`)`
`80`	`85`	`)`