JS: Fix template literal detection in string concatination

2026-04-26 09:15:12 +02:00 · 2025-06-12 11:18:20 +02:00
parent 861e4ee11e
commit bafe7e66ad
3 changed files with 5 additions and 6 deletions
--- a/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
+++ b/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
@@ -76,9 +76,10 @@ class CandidateStringLiteral extends StringLiteral {
 * ```
 */
 predicate hasObjectProvidingTemplateVariables(CandidateStringLiteral lit) {
-  exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj |
-    call.getAnArgument().getALocalSource() = obj and
-    call.getAnArgument().asExpr() = lit and
+  exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj, DataFlow::Node stringArg |
+    stringArg = [StringConcatenation::getRoot(lit.flow()), lit.flow()] and
+    stringArg = call.getAnArgument() and
+    obj.flowsTo(call.getAnArgument()) and
    forex(string name | name = lit.getAReferencedVariable() | exists(obj.getAPropertyWrite(name)))
  )
 }
--- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.expected
+++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.expected
@@ -3,7 +3,5 @@
 | TemplateSyntaxInStringLiteral.js:19:11:19:36 | 'global ... alVar}' | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:14:5:14:13 | globalVar | globalVar |
 | TemplateSyntaxInStringLiteral.js:28:15:28:21 | "${x} " | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:25:14:25:14 | x | x |
 | TemplateSyntaxInStringLiteral.js:42:17:42:57 | "Name:  ... oobar}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:37:11:37:16 | foobar | foobar |
-| TemplateSyntaxInStringLiteral.js:47:27:47:51 | ") ${ex ...  got (" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:45:20:45:27 | expected | expected |
-| TemplateSyntaxInStringLiteral.js:47:71:47:83 | ") ${actual}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:45:12:45:17 | actual | actual |
 | TemplateSyntaxInStringLiteral.js:62:15:62:29 | "Name: ${name}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:61:30:61:33 | name | name |
 | TemplateSyntaxInStringLiteral.js:66:11:66:44 | "Name:  ... {name}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:61:30:61:33 | name | name |
--- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js
@@ -44,7 +44,7 @@ function foo1() {

 function a(actual, expected, description) {
    assert(false, "a", description, "expected (" +
-        typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", { // $SPURIOUS:Alert
+        typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", {
            expected: expected,
            actual: actual
        });