Why my codeQL's taint-track flows end at a DataFlow::PropWrite node?

[Leepay]

The JavaScript codes are:

var func = function (n) {
    o.name = n;
    console.log(o); 
}

And I want to make n as my source in the TaintTracking::Configuration to find out its flows. So my codeQL query is:

/**
 * @name test
 * @kind path-problem
 * @id javascript/test
 * @precision very-high
 */

 import javascript
 import DataFlow::PathGraph

 class MyConfiguration extends TaintTracking::Configuration {
    MyConfiguration() { this = "MyConfiguration" }

    override predicate isSource(DataFlow::Node source) {
        source.toString() = "n"
    }
  
    override predicate isSink(DataFlow::Node sink) {
        sink instanceof DataFlow::Node
    }
}
from MyConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, source.toString()

But when I run this query, the longest path it can track is "n (the argument of func) -> n (in assignment o.name=n) -> o.name=n", which ends at o.name=n and will not mark o as a tainted variable.
So I override the isAdditionalTaintStep predicate like:

override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    //track the path from assignment to the object e.g. o.name = n; (o.name=n -> o)
    exists(DataFlow::PropWrite write_prop, AssignExpr assign_expr|
            assign_expr.getLhs() = write_prop.asExpr() and
            pred.asExpr() = assign_expr.(Expr) and
            succ = write_prop.getBase()
        )
}

Now the tracked flows is appended with o in o.name=n. And the current path is "n (the argument of func) -> n (in assignment o.name=n) -> o.name=n -> o (in o.name=n)". However, it still cannot track into the usage of o in CallNode console.log(o).
I also tried the isAdditionalTaintStep like:

override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    //track the path from Rhs to the object e.g. o.name = n; (n -> o)
    exists(DataFlow::PropWrite write_prop|
        pred = write_prop.getRhs() and
        succ = write_prop.getBase()
    )
}

And the tracked path is "n (the argument of func) -> n (in assignment o.name=n) -> o (in o.name=n)", still without the CallNode console.log(o)
I wonder why does this happen, is it an inner mechanism of codeQL or a mistake of my codeQL query?

[asgerf]

Hi @Leepay, 👋

When modeling mutations in the JavaScript analysis, we usually add getALocalSource() at the successor of the step:

 override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     //track the path from Rhs to the object e.g. o.name = n; (n -> o)
     exists(DataFlow::PropWrite write_prop|
         pred = write_prop.getRhs() and
+        succ = write_prop.getBase().getALocalSource()
     )
 }

Regarding your example, o will be seen as a global variable if that snippet is analyzed without more context, and I'd like to note that taint tracking through global variables is more restricted than for regular variables. In particular, getALocalSource() won't be able to backtrack from o if it's a global variable reference. Unless you are specifically interested in global variables, I'd suggest crafting examples that don't use global variables.

[Leepay]

Thank you for your answer!

getALocalSource perfectly solved my problem.

As for the example, I extract the critical sentences from the js file I want to track to simplify the problem. But I ignored the definition of o, which is a local variable. So getALocalSource is needed to track to the definition of o because of the mutation.