SSH host checking: Expand definition of a host-key checking function to include calls with multiple return types

For example, https://godoc.org/golang.org/x/crypto/ssh/knownhosts#New returns a host-key checker and an error value, and we previously didn't consider the first return value a candidate checker function.
2026-01-29 14:23:03 +01:00 · 2020-07-29 16:06:38 +01:00
parent f162a5be94
commit d0e86f787d
1 changed files with 4 additions and 3 deletions
--- a/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+++ b/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -31,8 +31,9 @@ class HostKeyCallbackFunc extends DataFlow::Node {
    (
      this instanceof DataFlow::FunctionNode
      or
-      this instanceof DataFlow::CallNode and
-      not exists(this.(DataFlow::CallNode).getACallee().getBody())
+      exists(DataFlow::CallNode call | not exists(call.getACallee().getBody()) |
+        this = call.getAResult()
+      )
    )
  }
 }
@@ -41,7 +42,7 @@ class HostKeyCallbackFunc extends DataFlow::Node {
 class InsecureHostKeyCallbackFunc extends HostKeyCallbackFunc {
  InsecureHostKeyCallbackFunc() {
    // Either a call to InsecureIgnoreHostKey(), which we know returns an insecure callback.
-    this = any(InsecureIgnoreHostKey f).getACall()
+    this = any(InsecureIgnoreHostKey f).getACall().getAResult()
    or
    // Or a callback function in the source code (named or anonymous) that always returns nil.
    forex(DataFlow::ResultNode returnValue |