C++: Fixup two queries which assumes that a guard is always an expression.

Author: MathiasVP

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql

@@ -29,7 +29,7 @@ module VerifyResultConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SslGetVerifyResultCall }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
+    exists(GuardCondition guard | guard.(Expr).getAChild*() = sink.asExpr())
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

@@ -115,15 +115,15 @@ predicate checksPath(Expr check, Expr checkPath) {
 
 pragma[nomagic]
 predicate checkPathControlsUse(Expr check, Expr checkPath, Expr use) {
-  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
+  exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) |
     guard.controls(use.getBasicBlock(), _)
   ) and
   checksPath(pragma[only_bind_into](check), checkPath)
 }
 
 pragma[nomagic]
 predicate fileNameOperationControlsUse(Expr check, Expr checkPath, Expr use) {
-  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
+  exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) |
     guard.controls(use.getBasicBlock(), _)
   ) and
   pragma[only_bind_into](check) = filenameOperation(checkPath)