Match string filter method in isSanitizer

[CaledoniaProject]

I have a global taint query and I'd like to filter out methods that validates parameter with is_data_trusted method:

int is_data_trusted(char *input)
{
    if (strcmp(input, "test"))
    {
        return 1;
    }

    return 0;
}

void no_cmdi_3(char *input)
{
    if (! is_data_trusted(input))
    {
        return;
    }

    char buffer[256] = { 0 };
    snprintf(buffer, sizeof(buffer) - 1, "cat %s", input);
    system(buffer);
}

I found a predicate online:

private predicate isDataFiltered (DataFlow::Node node) {
  exists(IfStmt ifs |
    globalValueNumber(ifs.getControllingExpr().getAChild*()) = globalValueNumber(node.asExpr())
  )
}

It works but I think the isDataFiltered might included unwanted if statements. So how can I modify the query to:

1. match only calls to is_data_trusted
2. ensure the call is correct, e.g if (! is_data_trusted(input)), but not if (is_data_trusted(input))

[rdmarsh2]

Your best option there is going to be using the Guards library, and specifically the controls predicate on GuardCondition. You'd also want to use global value numbering like the example. It would probably look something like this:

predicate isTrusted(DataFlow::Node node) {
  exists(Expr expr, FunctionCall fc |
    expr = node.asExpr() and
    globalValueNumber(expr) = globalValueNumber(fc.getArgument(0)) and
    fc.(GuardCondition).controls(expr, true) and // ensure that `expr` is only run if the test returned 1
    fc.getTarget().hasName("is_data_trusted")
  )
}

[CaledoniaProject]

@rdmarsh2 I've attached the source code: test.cpp.txt

The query above does not work for me. I also tried quick evaluation and it returns empty result.