Constrain location overrides to actual sources/sinks

2025-12-16 16:53:25 +01:00 · 2025-10-16 14:19:05 +02:00
parent 96e1536769
commit a0975e7e19
13 changed files with 45 additions and 33 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -31,11 +31,9 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
  predicate observeDiffInformedIncrementalMode() { any() }

  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
    exists(DataFlow::Node node |
      isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+      result = [node.getLocation(), sink.getLocation()]
    )
  }
 }