Reduce unreachable branches with query #19639

bftmoon · 2025-06-02T12:01:37Z

bftmoon
Jun 2, 2025

Hello! I am trying to reduce results for unreachable blocks in JS. Can you, please, give a hint, how to do it? I understand by docs and code that it is something with DataFlow and ControlFlow but can't make query.

For code:

const mysql = require('mysql2')
const connection = mysql.createConnection({
    host: "localhost",
    user: "dbuser",
    database: "testdb",
    password: "password",
})

function func() {
    let arg = ''

    arg = process.env.USERNAME

    let v = 0;

    switch (v) {
        case 1:
            let q = "SELECT * FROM records WHERE owner = " + arg
            connection.query(q, (err, rows) => {
                if (err)
                    console.error(err)
                else
                    console.log("Done!")
            })
            break;
        case 0:
            process.exit(0)
            break;
    }
}

It reports even when v is never 1.
My query:

module CommandLineFileNameConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    DataFlow::globalVarRef("process").getAPropertyRead("env").getAPropertyRead() = source
  }

  predicate isSink(DataFlow::Node sink) {
  exists(CallExpr call, int argIndex |
    sink.asExpr() = call.getArgument(argIndex) and
    (
      call.getCalleeName() = "query" or
      exists(MethodCallExpr member |
        call.getCallee() = member and
        member.getMethodName() = "query"
      )
    ) and not call.getFirstControlFlowNode().isUnreachable()
  ) 
}
}

module Flow = TaintTracking::Global<CommandLineFileNameConfig>;

import Flow::PathGraph

from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink, "x"

adityasharad · 2025-06-03T23:09:15Z

adityasharad
Jun 3, 2025
Maintainer

Thanks for your interest using CodeQL, and the clear example. I can reproduce the flow path result with your example code and query. Let me verify with our team whether we expect to handle this pruning of unreachable paths as part of our control or data flow libraries by default.

2 replies

adityasharad Jun 4, 2025
Maintainer

Update: This is behaving as expected. The control and data flow libraries prune some code paths that are provably unreachable, but they deliberately do not attempt to handle all possibilities from evaluating constant values at compile-time (like the 0 and 1 in your example). Doing this accurately greatly increases the complexity of the analysis, and is not possible to do in all cases. So I don't think there is a piece of logic you can call to prune out this particular path.

The way I think about it: such a code path is still worth reporting, as a small change to the program could mean the code path is no longer unreachable.

bftmoon Jun 6, 2025
Author

It would be good if all people agree with you( Thanks anyway

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Reduce unreachable branches with query #19639

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

TMZ Celebrity News – Breaking Stories, Videos & Gossip

🎥 Watch TMZ Live

Reduce unreachable branches with query #19639

Uh oh!

bftmoon Jun 2, 2025

Replies: 1 comment · 2 replies

Uh oh!

adityasharad Jun 3, 2025 Maintainer

Uh oh!

adityasharad Jun 4, 2025 Maintainer

Uh oh!

bftmoon Jun 6, 2025 Author

TMZ Celebrity News – Breaking Stories, Videos & Gossip

🎥 Watch TMZ Live

bftmoon
Jun 2, 2025

Replies: 1 comment 2 replies

adityasharad
Jun 3, 2025
Maintainer

adityasharad Jun 4, 2025
Maintainer

bftmoon Jun 6, 2025
Author