From d0e86f787d8b9aff34dc43cd8fa1a8ed3e283b0b Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 29 Jul 2020 16:06:38 +0100
Subject: [PATCH] SSH host checking: Expand definition of a host-key checking
 function to include calls with multiple return types

For example, https://godoc.org/golang.org/x/crypto/ssh/knownhosts#New returns a host-key checker and an error value, and we previously didn't consider the first return value a candidate checker function.
---
 ql/src/Security/CWE-322/InsecureHostKeyCallback.ql | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
index 8f3ebe03973..fbaf1f7e5f4 100644
--- a/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+++ b/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -31,8 +31,9 @@ class HostKeyCallbackFunc extends DataFlow::Node {
     (
       this instanceof DataFlow::FunctionNode
       or
-      this instanceof DataFlow::CallNode and
-      not exists(this.(DataFlow::CallNode).getACallee().getBody())
+      exists(DataFlow::CallNode call | not exists(call.getACallee().getBody()) |
+        this = call.getAResult()
+      )
     )
   }
 }
@@ -41,7 +42,7 @@ class HostKeyCallbackFunc extends DataFlow::Node {
 class InsecureHostKeyCallbackFunc extends HostKeyCallbackFunc {
   InsecureHostKeyCallbackFunc() {
     // Either a call to InsecureIgnoreHostKey(), which we know returns an insecure callback.
-    this = any(InsecureIgnoreHostKey f).getACall()
+    this = any(InsecureIgnoreHostKey f).getACall().getAResult()
     or
     // Or a callback function in the source code (named or anonymous) that always returns nil.
     forex(DataFlow::ResultNode returnValue |