Fix a regression where the alert was not made if a child CQL clause is tainted

jeongsoolee09 · jeongsoolee09 · commit 565dde25006b · 2025-07-03T17:44:33.000-04:00
For example, this example was not alerted on:

``` javascript
  this.on("send00234", async (req) =&gt; {
    const { id } = req.data;
    const { Service1Entity } = this.entities;
    await UPDATE.entity(Service1Entity).set("col1 = col1 + " + id).where`ID = ${id}`;  // UNSAFE: direct concatenation with `+`
  });
```
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll
@@ -36,15 +36,20 @@ class AwaitCqlClauseWithStringConcatParameter extends CqlInjectionSink {
   DataFlow::Node queryParameter;
   DataFlow::Node query;
   CqlClauseWithStringConcatParameter cqlClauseWithStringConcat;
+  CqlClause finalAncestorCqlClauseOfCqlClauseWithStringConcat;
 
   AwaitCqlClauseWithStringConcatParameter() {
     exists(AwaitExpr await |
       this = await.flow() and
-      await.getOperand() = cqlClauseWithStringConcat.(CqlClause).asExpr()
+      await.getOperand() = finalAncestorCqlClauseOfCqlClauseWithStringConcat.asExpr() and
+      finalAncestorCqlClauseOfCqlClauseWithStringConcat =
+        cqlClauseWithStringConcat.(CqlClause).getFinalClause()
     )
   }
 
-  override DataFlow::Node getQuery() { result = cqlClauseWithStringConcat.(CqlClause).flow() }
+  override DataFlow::Node getQuery() {
+    result = finalAncestorCqlClauseOfCqlClauseWithStringConcat.flow()
+  }
 }
 
 /**
@@ -189,7 +194,7 @@ class CqlInjectionConfiguration extends TaintTracking::Configuration {
 
     exists(CqlClause cqlClause |
       start = cqlClause.getArgument().flow().getAPredecessor*().(StringOps::Concatenation) and
-      end = cqlClause.flow()
+      end = cqlClause.getFinalClause().flow()
     )
   }
 }
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll
@@ -264,6 +264,17 @@ class CqlClause extends TCqlClause {
 
   predicate isFinal() { not exists(this.getParentCqlClause()) }
 
+  /**
+   * Gets the final CQL clause that this clause is a part of.
+   */
+  CqlClause getFinalClause() {
+    if this.isFinal()
+    then result = this
+    else (
+      result = this.getAnAncestorCqlClause() and result.isFinal()
+    )
+  }
+
   /**
    * Matches the given `CqlClause` to its method/property name, nested at arbitrary depth.
    */

Original file line number	Diff line number	Diff line change
`@@ -36,15 +36,20 @@ class AwaitCqlClauseWithStringConcatParameter extends CqlInjectionSink {`
`36`	`36`	`DataFlow::Node queryParameter;`
`37`	`37`	`DataFlow::Node query;`
`38`	`38`	`CqlClauseWithStringConcatParameter cqlClauseWithStringConcat;`
	`39`	`+ CqlClause finalAncestorCqlClauseOfCqlClauseWithStringConcat;`
`39`	`40`
`40`	`41`	`AwaitCqlClauseWithStringConcatParameter() {`
`41`	`42`	`exists(AwaitExpr await \|`
`42`	`43`	`this = await.flow() and`
`43`		`- await.getOperand() = cqlClauseWithStringConcat.(CqlClause).asExpr()`
	`44`	`+ await.getOperand() = finalAncestorCqlClauseOfCqlClauseWithStringConcat.asExpr() and`
	`45`	`+ finalAncestorCqlClauseOfCqlClauseWithStringConcat =`
	`46`	`+ cqlClauseWithStringConcat.(CqlClause).getFinalClause()`
`44`	`47`	`)`
`45`	`48`	`}`
`46`	`49`
`47`		`- override DataFlow::Node getQuery() { result = cqlClauseWithStringConcat.(CqlClause).flow() }`
	`50`	`+ override DataFlow::Node getQuery() {`
	`51`	`+ result = finalAncestorCqlClauseOfCqlClauseWithStringConcat.flow()`
	`52`	`+ }`
`48`	`53`	`}`
`49`	`54`
`50`	`55`	`/**`
`@@ -189,7 +194,7 @@ class CqlInjectionConfiguration extends TaintTracking::Configuration {`
`189`	`194`
`190`	`195`	`exists(CqlClause cqlClause \|`
`191`	`196`	`start = cqlClause.getArgument().flow().getAPredecessor*().(StringOps::Concatenation) and`
`192`		`- end = cqlClause.flow()`
	`197`	`+ end = cqlClause.getFinalClause().flow()`
`193`	`198`	`)`
`194`	`199`	`}`
`195`	`200`	`}`