Negation of an if condition in CodeQL

[Sim4n6]

Hi,

I have the following false positive Python code.

if not ( eee.is_awesome() or eee.is_cool() ):
     raise ValueError("Bad")

I am using the sanitizer to eradicate this case as follows:

override predicate isSanitizer(DataFlow::Node sanitizer) {
          not exists(MethodCallNode call | call.calls(sanitizer, "is_awesome") or call.calls(sanitizer, "is_cool"))
}

But, I am getting the wrong results. Any help please is a welcome.

[Sim4n6]

As an initial solution :

exists(MethodCallNode call, UnaryExpr u |
    (call.calls(sanitizer, "is_awesome") 
    or 
    call.calls(sanitizer, "is_cool")) 
    and u.getOp() instanceof Not and u.getOperand() = call.asExpr()
  )

What could be improved please ?

[yoff]

tl;dr: Do like here

Hi, you have the right approach, defining a sanitiser is what will help you here. However, I think you want to write it in the form of a barrier guard, since sanitation depends on the results of eee.is_awesome or eee.is_cool. Only if such a method returns true do you want to consider eee safe.

The way to achieve this is in two steps. First you write a predicate identifying those method calls and then you feed that predicate to the BarrierGuard module. This requires the first predicate to be of a specific form:

private predicate checksEee(DataFlow::GuardNode g, ControlFlowNode eee, boolean branch) {
  exists(DataFlow::MethodCallNode mc |
    g = mc.asCfgNode() and
    mc.calls(_, ["is_awesome", "is_cool"]) and
    eee = mc.getObject().asCfgNode() and
    branch = true
  )
}

Notice how you are able to specify which result leads to sanitation via the boolean branch.
Now you can write your sanitiser like this:

  override predicate isSanitizer(DataFlow::Node sanitizer) {
    sanitizer = DataFlow::BarrierGuard<checksEee/3>::getABarrierNode()
  }

[Sim4n6]

Thank you for this precious explanation 🥇