Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Reduce unreachable branches with query#19639

Unanswered
bftmoon asked this question inQ&A
Jun 2, 2025· 1 comments· 2 replies
Discussion options

Hello! I am trying to reduce results for unreachable blocks in JS. Can you, please, give a hint, how to do it? I understand by docs and code that it is something with DataFlow and ControlFlow but can't make query.

For code:

constmysql=require('mysql2')constconnection=mysql.createConnection({host:"localhost",user:"dbuser",database:"testdb",password:"password",})functionfunc(){letarg=''arg=process.env.USERNAMEletv=0;switch(v){case1:letq="SELECT * FROM records WHERE owner = "+argconnection.query(q,(err,rows)=>{if(err)console.error(err)elseconsole.log("Done!")})break;case0:process.exit(0)break;}}

It reports even whenv is never 1.
My query:

module CommandLineFileNameConfigimplements DataFlow::ConfigSig{predicateisSource(DataFlow::Nodesource){    DataFlow::globalVarRef("process").getAPropertyRead("env").getAPropertyRead()=source}predicateisSink(DataFlow::Nodesink){exists(CallExprcall,intargIndex|sink.asExpr()=call.getArgument(argIndex)and(call.getCalleeName()="query"orexists(MethodCallExprmember|call.getCallee()=memberandmember.getMethodName()="query"))andnotcall.getFirstControlFlowNode().isUnreachable())}}module Flow= TaintTracking::Global<CommandLineFileNameConfig>;import Flow::PathGraphfrom Flow::PathNodesource, Flow::PathNodesinkwhere Flow::flowPath(source,sink)selectsink.getNode(),source,sink,"x"
You must be logged in to vote

Replies: 1 comment 2 replies

Comment options

Thanks for your interest using CodeQL, and the clear example. I can reproduce the flow path result with your example code and query. Let me verify with our team whether we expect to handle this pruning of unreachable paths as part of our control or data flow libraries by default.

You must be logged in to vote
2 replies
@adityasharad
Comment options

Update: This is behaving as expected. The control and data flow libraries prune some code paths that are provably unreachable, but they deliberately do not attempt to handle all possibilities from evaluating constant values at compile-time (like the 0 and 1 in your example). Doing this accurately greatly increases the complexity of the analysis, and is not possible to do in all cases. So I don't think there is a piece of logic you can call to prune out this particular path.

The way I think about it: such a code path is still worth reporting, as a small change to the program could mean the code path is no longer unreachable.

@bftmoon
Comment options

It would be good if all people agree with you( Thanks anyway

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
2 participants
@bftmoon@adityasharad
[8]ページ先頭
©2009-2025 Movatter.jp