[JS] Casting a SourceNode as Expr

[MaxSchlueter]

Going through the GitHub Security Lab CTF 3 about XSS-unsafe jQuery plugins, I got the following query for Question 1.1:

from PropWrite pw, SourceNode func
where
  jquery().getAPropertyRead("fn").getAPropertyWrite() = pw and
  pw.getRhs().getALocalSource() = func and
  func.asExpr() instanceof Function
select pw, func

which returns only 2 results, whereas 13 are expected. I saw that the official solution to this uses FunctionNode instead of SourceNode, no casting asExpr() and instanceof check needed. Why is getALocalSource().asExpr() instanceof Function different from equaling this to a FunctionNode?

[MathiasVP]

Hi @MaxSchlueter,

Note that the CodeQL JavaScript library has several concepts of functions: Functions, FunctionExprs, and ArrowFunctionExprs. And when you write getALocalSource().asExpr() instanceof Function you're restricting getALocalSource() to be only dataflow nodes whose underlying function is an expression. When you're using instanceof FunctionNode that is not the case.

Does that explanation help?

[MaxSchlueter]

Hi @MathiasVP,

thank you for the quick response, that makes sense to me. If there were a predicate asExprOrStmt() my query should work the same way, right?

[MathiasVP]

It should, yes. In fact, there is actually predicate like that on DataFlow::Nodes, but it's called getAstNode (see here) 🙂.