Skip to content

JS: Improve useless-expression query to avoid duplicate alerts on compound expressions #19579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 10, 2025
Merged

JS: Improve useless-expression query to avoid duplicate alerts on compound expressions #19579

merged 11 commits into from
Jun 10, 2025

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented May 26, 2025
edited
Loading

This PR improves the js/useless-expression query by adding logic to avoid flagging compound expressions that may contain sub-expressions with side effects.

@Napalys Napalys marked this pull request as ready for review May 26, 2025 11:00
@Copilot Copilot AI review requested due to automatic review settings May 26, 2025 11:00
@Napalys Napalys requested a review from a team as a code owner May 26, 2025 11:00
Copilot
Copilot AI reviewed May 26, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Enhance the isDomProperty predicate to detect property reads on DOM nodes (e.g., offsetHeight, clientWidth) and reduce false positives in the js/useless-expression query.

  • Extend isDomProperty to also match property names accessed via data-flow property reads.
  • Add a test case validating layout-affecting reads on DOM elements.
  • Record the change in the project’s change notes.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
javascript/ql/lib/Expressions/DOMProperties.qll Extend isDomProperty predicate with a DataFlow::SourceNode branch.
javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/dom.js New test verifying that reads like offsetHeight and clientWidth are side-effectful.
javascript/ql/lib/change-notes/2025-05-26-dom-property-access.md Add change note documenting the enhancement to isDomProperty.
Comments suppressed due to low confidence (1)

javascript/ql/lib/Expressions/DOMProperties.qll:14

  • [nitpick] The variable name domNode implies a DOM AST node but actually refers to a data-flow source; consider renaming it to sourceNode or propSourceNode for clearer intent.
exists(DataFlow::SourceNode domNode | isDomNode(domNode) |

@Napalys Napalys marked this pull request as draft May 27, 2025 08:53
@Napalys Napalys force-pushed the js/dom_property_access branch 3 times, most recently from 201ee08 to 59fe03f Compare May 30, 2025 14:30
@Napalys Napalys force-pushed the js/dom_property_access branch from 59fe03f to 1f256ab Compare June 2, 2025 12:59
@Napalys Napalys changed the title JS: Enhance isDomProperty JS: Improve useless-expression query to avoid duplicate alerts on compound expressions Jun 2, 2025
@Napalys Napalys marked this pull request as ready for review June 2, 2025 13:07
asgerf
asgerf reviewed Jun 2, 2025
View reviewed changes
@Napalys Napalys requested a review from asgerf June 2, 2025 15:39
@Napalys Napalys force-pushed the js/dom_property_access branch from 15b1dae to aac56e0 Compare June 3, 2025 13:27
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 10, 2025
View reviewed changes
@Napalys Napalys force-pushed the js/dom_property_access branch from 8bd817c to c97da2e Compare June 10, 2025 08:56
asgerf
asgerf reviewed Jun 10, 2025
View reviewed changes
Napalys and others added 3 commits June 10, 2025 13:18
@Napalys @asgerf
Update javascript/ql/lib/Expressions/ExprHasNoEffect.qll
e6f071c 
Co-authored-by: Asger F <asgerf@github.com>
@Napalys @asgerf
Update javascript/ql/lib/Expressions/ExprHasNoEffect.qll
496d8d4 
Co-authored-by: Asger F <asgerf@github.com>
@Napalys @asgerf
Update javascript/ql/lib/Expressions/ExprHasNoEffect.qll
e465811 
Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>
@Napalys Napalys requested a review from asgerf June 10, 2025 11:56
@Napalys Napalys merged commit 51b83db into github:main Jun 10, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @asgerf