From cf33db78ccdcd8e3d3daf1cb22e75bfbe353c23f Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Wed, 12 Feb 2025 11:53:34 +0100
Subject: [PATCH] JS: Fix the spurious flow

---
 javascript/ql/lib/semmle/javascript/frameworks/SQL.qll       | 5 ++++-
 .../test/query-tests/Security/CWE-089/untyped/pg-promise.js  | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
index 218f2f8366e..9d106251a21 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -221,7 +221,10 @@ private module Postgres {
 
     /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */
     private DataFlow::Node getARawValue() {
-      result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1
+      result = this.getValues() and
+      this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1
+      not result instanceof DataFlow::ArrayCreationNode and
+      not result instanceof DataFlow::ObjectLiteralNode
       or
       exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() |
         result = values.getAPropertyWrite(this.getARawParameterName()).getRhs()
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js
index 2d82889d7f4..9ed6877e866 100644
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js
@@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => {
       req.params.id, // $ Alert
       req.params.name, // $ Alert
       req.params.foo, // OK - not using raw interpolation
-    ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements
+    ]
   });
   db.one({
     text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}',