From 97d26687fed6b102c0c2be075ec6a0350a9ef246 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 1 Mar 2021 15:04:48 +0100
Subject: [PATCH] Python: Improve logic of bit fields

---
 python/ql/src/Security/CWE-327/Ssl.qll | 31 +++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index ba91b39bdeb..4caa0ae7302 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -37,15 +37,17 @@ class OptionsAugOr extends ProtocolRestriction {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
-    exists(AugAssign aa, AttrNode attr |
+    exists(AugAssign aa, AttrNode attr, Expr flag |
       aa.getOperation().getOp() instanceof BitOr and
       aa.getTarget() = attr.getNode() and
       attr.getName() = "options" and
       attr.getObject() = node and
-      // TODO: Use something like BoolExpr::impliesValue here
-      API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() in [
-          aa.getValue(), aa.getValue().getAChildNode()
-        ]
+      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      (
+        aa.getValue() = flag
+        or
+        impliesValue(aa.getValue(), flag, false, false)
+      )
     )
   }
 
@@ -54,6 +56,25 @@ class OptionsAugOr extends ProtocolRestriction {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
+/** Whether `part` evaluates to `partIsTrue` if `whole` evaluates to `wholeIsTrue`. */
+predicate impliesValue(BinaryExpr whole, Expr part, boolean partIsTrue, boolean wholeIsTrue) {
+  whole.getOp() instanceof BitAnd and
+  (
+    wholeIsTrue = true and partIsTrue = true and part in [whole.getLeft(), whole.getRight()]
+    or
+    wholeIsTrue = true and
+    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+  )
+  or
+  whole.getOp() instanceof BitOr and
+  (
+    wholeIsTrue = false and partIsTrue = false and part in [whole.getLeft(), whole.getRight()]
+    or
+    wholeIsTrue = false and
+    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+  )
+}
+
 class ContextSetVersion extends ProtocolRestriction {
   string restriction;