[DIFF-INFORMED] JS: IndirectCommandInjection

d10c · d10c · commit 89dd8a8008fa · 2025-07-17T10:56:08.000+02:00
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql#L25
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -30,9 +30,10 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(DataFlow::Node node |
-      isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+    exists(DataFlow::Node highlight | result = highlight.getLocation() |
+      if isSinkWithHighlight(sink, _)
+      then isSinkWithHighlight(sink, highlight)
+      else highlight = sink
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,9 +30,10 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {`
`30`	`30`	`predicate observeDiffInformedIncrementalMode() { any() }`
`31`	`31`
`32`	`32`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`33`		`- exists(DataFlow::Node node \|`
`34`		`- isSinkWithHighlight(sink, node) and`
`35`		`- result = node.getLocation()`
	`33`	`+ exists(DataFlow::Node highlight \| result = highlight.getLocation() \|`
	`34`	`+ if isSinkWithHighlight(sink, _)`
	`35`	`+ then isSinkWithHighlight(sink, highlight)`
	`36`	`+ else highlight = sink`
`36`	`37`	`)`
`37`	`38`	`}`
`38`	`39`	`}`