From 269489e8172ef9a1b1ebc524e712243665e9bd54 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Thu, 16 Oct 2025 12:22:45 +0200
Subject: [PATCH] JS: Avoid bad join in shared predicate induced by 'forex'.

Use manual recursion instead.
---
 javascript/ql/lib/semmle/javascript/Expr.qll | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/Expr.qll b/javascript/ql/lib/semmle/javascript/Expr.qll
index ede0e7094ab..b46faf7e2b7 100644
--- a/javascript/ql/lib/semmle/javascript/Expr.qll
+++ b/javascript/ql/lib/semmle/javascript/Expr.qll
@@ -1648,13 +1648,19 @@ private string getConstantString(Expr e) {
   result = e.(TemplateElement).getValue()
 }
 
+pragma[nomagic]
+private predicate hasConstantStringValue(Expr e) {
+  exists(getConstantString(e))
+  or
+  hasAllConstantLeafs(e.getUnderlyingValue())
+}
+
 /**
  * Holds if `add` is a string-concatenation where all the transitive leafs have a constant string value.
  */
 private predicate hasAllConstantLeafs(AddExpr add) {
-  forex(Expr leaf | leaf = getAnAddOperand*(add) and not exists(getAnAddOperand(leaf)) |
-    exists(getConstantString(leaf))
-  )
+  hasConstantStringValue(add.getLeftOperand()) and
+  hasConstantStringValue(add.getRightOperand())
 }
 
 /**