Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Reduce unreachable branches with query #19639

Unanswered
bftmoon asked this question in Q&A
Discussion options

Hello! I am trying to reduce results for unreachable blocks in JS. Can you, please, give a hint, how to do it? I understand by docs and code that it is something with DataFlow and ControlFlow but can't make query.

For code:

const mysql = require('mysql2')
const connection = mysql.createConnection({
 host: "localhost",
 user: "dbuser",
 database: "testdb",
 password: "password",
})
function func() {
 let arg = ''
 arg = process.env.USERNAME
 let v = 0;
 switch (v) {
 case 1:
 let q = "SELECT * FROM records WHERE owner = " + arg
 connection.query(q, (err, rows) => {
 if (err)
 console.error(err)
 else
 console.log("Done!")
 })
 break;
 case 0:
 process.exit(0)
 break;
 }
}

It reports even when v is never 1.
My query:

module CommandLineFileNameConfig implements DataFlow::ConfigSig {
 predicate isSource(DataFlow::Node source) {
 DataFlow::globalVarRef("process").getAPropertyRead("env").getAPropertyRead() = source
 }
 predicate isSink(DataFlow::Node sink) {
 exists(CallExpr call, int argIndex |
 sink.asExpr() = call.getArgument(argIndex) and
 (
 call.getCalleeName() = "query" or
 exists(MethodCallExpr member |
 call.getCallee() = member and
 member.getMethodName() = "query"
 )
 ) and not call.getFirstControlFlowNode().isUnreachable()
 ) 
}
}
module Flow = TaintTracking::Global<CommandLineFileNameConfig>;
import Flow::PathGraph
from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink, "x"
You must be logged in to vote

Replies: 1 comment 2 replies

Comment options

Thanks for your interest using CodeQL, and the clear example. I can reproduce the flow path result with your example code and query. Let me verify with our team whether we expect to handle this pruning of unreachable paths as part of our control or data flow libraries by default.
You must be logged in to vote
2 replies
Comment options

Update: This is behaving as expected. The control and data flow libraries prune some code paths that are provably unreachable, but they deliberately do not attempt to handle all possibilities from evaluating constant values at compile-time (like the 0 and 1 in your example). Doing this accurately greatly increases the complexity of the analysis, and is not possible to do in all cases. So I don't think there is a piece of logic you can call to prune out this particular path.

The way I think about it: such a code path is still worth reporting, as a small change to the program could mean the code path is no longer unreachable.
Comment options

It would be good if all people agree with you( Thanks anyway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /