From 5e82eb9b246a58d9a18f5da298e4902f521a7cc5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 17 Sep 2025 16:45:50 +0100 Subject: [PATCH] C++: Fixup queries which assumes that a guard is always an expression. --- .../src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll | 2 +- cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql | 2 +- cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql | 4 ++-- .../Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql | 2 +- .../analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll index 40c0f2173d9..f736a793a07 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll +++ b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll @@ -136,7 +136,7 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { exists(GuardCondition gc, GVN gvn | - gc.getAChild*() = gvn.getAnExpr() and + gc.(Expr).getAChild*() = gvn.getAnExpr() and globalValueNumber(node.asExpr()) = gvn and gc.controls(node.asExpr().getBasicBlock(), _) ) diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql index 379c20f51ba..9eccaebfdbd 100644 --- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql +++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql @@ -29,7 +29,7 @@ module VerifyResultConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SslGetVerifyResultCall } predicate isSink(DataFlow::Node sink) { - exists(GuardCondition guard | guard.getAChild*() = sink.asExpr()) + exists(GuardCondition guard | guard.(Expr).getAChild*() = sink.asExpr()) } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql index 4b28a80f662..5fd1b981974 100644 --- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql +++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql @@ -115,7 +115,7 @@ predicate checksPath(Expr check, Expr checkPath) { pragma[nomagic] predicate checkPathControlsUse(Expr check, Expr checkPath, Expr use) { - exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) | + exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) | guard.controls(use.getBasicBlock(), _) ) and checksPath(pragma[only_bind_into](check), checkPath) @@ -123,7 +123,7 @@ predicate checkPathControlsUse(Expr check, Expr checkPath, Expr use) { pragma[nomagic] predicate fileNameOperationControlsUse(Expr check, Expr checkPath, Expr use) { - exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) | + exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) | guard.controls(use.getBasicBlock(), _) ) and pragma[only_bind_into](check) = filenameOperation(checkPath) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql index 3132b103bbc..df2fd13d79c 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql @@ -51,7 +51,7 @@ class ReallocCallLeak extends FunctionCall { predicate mayHandleByTermination() { exists(GuardCondition guard, CallMayNotReturn exit | this.(ControlFlowNode).getASuccessor*() = guard and - guard.getAChild*() = v.getAnAccess() and + guard.(Expr).getAChild*() = v.getAnAccess() and guard.controls(exit.getBasicBlock(), _) ) } diff --git a/cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql b/cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql index 15cc379131a..aaca52799d7 100644 --- a/cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql +++ b/cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql @@ -22,7 +22,7 @@ module NetworkToBufferSizeConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { exists(GuardCondition gc, Variable v | - gc.getAChild*() = v.getAnAccess() and + gc.(Expr).getAChild*() = v.getAnAccess() and node.asExpr() = v.getAnAccess() and gc.controls(node.asExpr().getBasicBlock(), _) and not exists(Loop loop | loop.getControllingExpr() = gc)