Merge pull request #18547 from erik-krogh/suffixCheck

JS: Fix FPs with js/incorrect-suffix-check

javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql

@@ -44,12 +44,25 @@ class IndexOfCall extends DataFlow::MethodCallNode {
    * Gets an `indexOf` call with the same receiver, argument, and method name, including this call itself.
    */
   IndexOfCall getAnEquivalentIndexOfCall() {
+    result = this
+    or
     exists(DataFlow::Node recv, string m |
       this.receiverAndMethodName(recv, m) and result.receiverAndMethodName(recv, m)
     |
+      // both directly reference the same value
       result.getArgument(0).getALocalSource() = this.getArgument(0).getALocalSource()
       or
+      // both use the same string literal
       result.getArgument(0).getStringValue() = this.getArgument(0).getStringValue()
+      or
+      // both use the same concatenation of a string and a value
+      exists(Expr origin, StringLiteral str, AddExpr otherAdd |
+        this.getArgument(0).asExpr().(AddExpr).hasOperands(origin, str) and
+        otherAdd = result.getArgument(0).asExpr()
+      |
+        otherAdd.getAnOperand().(StringLiteral).getStringValue() = str.getStringValue() and
+        otherAdd.getAnOperand().flow().getALocalSource() = origin.flow().getALocalSource()
+      )
     )
   }
 

javascript/ql/src/change-notes/2025-01-22-indexof-suffix-check.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The `js/incorrect-suffix-check` query now recognises some good patterns of the form `origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.