JavaScript: Eliminate source of false positives in UnsafeShellCommandConstruction.

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll

@@ -31,5 +31,15 @@ module UnsafeShellCommandConstruction {
       guard instanceof PathExistsSanitizerGuard or
       guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
     }
+
+    // override to require that there is a path without unmatched return steps
+    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+      super.hasFlowPath(source, sink) and
+      exists(DataFlow::MidPathNode mid |
+        source.getASuccessor*() = mid and
+        sink = mid.getASuccessor() and
+        mid.getPathSummary().hasReturn() = false
+      )
+    }
   }
 }