JS: Fix termination criteria

Previously it was theoretically possible to create a cycle of preferred predecessors, since badness had higher precedence than depth. We now require the preferred predecessor to have lower depth. With this criteria we can remove the arbitray cap on badness.
2026-04-25 16:55:19 +02:00 · 2024-02-12 11:44:52 +01:00
parent 0fbe530d9e
commit 8d3a19aaad
1 changed files with 9 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/endpoints/EndpointNaming.qll
+++ b/javascript/ql/lib/semmle/javascript/endpoints/EndpointNaming.qll
@@ -110,7 +110,14 @@ private API::Node getPreferredPredecessor(API::Node node, string name, int badne
  not isPackageExport(node) and
  // Rank predecessors by name-badness, export-distance, and name.
  // Since min() can only return a single value, we need a separate min() call per column.
-  badness = min(int b | exists(getAPredecessor(node, _, b)) | b) and
+  badness =
+    min(API::Node pred, int b |
+      pred = getAPredecessor(node, _, b) and
+      // ensure the preferred predecessor is strictly closer to a root export, even if it means accepting more badness
+      distanceFromPackageExport(pred) < distanceFromPackageExport(node)
+    |
+      b
+    ) and
  result =
    min(API::Node pred, string name1 |
      pred = getAPredecessor(node, name1, badness)
@@ -133,7 +140,7 @@ private predicate sinkHasNameCandidate(API::Node sink, string package, string na
  exists(API::Node baseNode, string baseName, int baseBadness, string step, int stepBadness |
    sinkHasNameCandidate(baseNode, package, baseName, baseBadness) and
    baseNode = getPreferredPredecessor(sink, step, stepBadness) and
-    badness = (baseBadness + stepBadness).minimum(20) and
+    badness = baseBadness + stepBadness and
    name = join(baseName, step)
  )
 }