JS: Improve useless-expression query to avoid duplicate alerts on compound expressions#19579
Merged
Napalys merged 11 commits intogithub:mainfrom Jun 10, 2025
Merged
JS: Improve useless-expression query to avoid duplicate alerts on compound expressions#19579Napalys merged 11 commits intogithub:mainfrom
useless-expression query to avoid duplicate alerts on compound expressions#19579Napalys merged 11 commits intogithub:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
Enhance the isDomProperty predicate to detect property reads on DOM nodes (e.g., offsetHeight, clientWidth) and reduce false positives in the js/useless-expression query.
- Extend
isDomPropertyto also match property names accessed via data-flow property reads. - Add a test case validating layout-affecting reads on DOM elements.
- Record the change in the project’s change notes.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| javascript/ql/lib/Expressions/DOMProperties.qll | Extend isDomProperty predicate with a DataFlow::SourceNode branch. |
| javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/dom.js | New test verifying that reads like offsetHeight and clientWidth are side-effectful. |
| javascript/ql/lib/change-notes/2025-05-26-dom-property-access.md | Add change note documenting the enhancement to isDomProperty. |
Comments suppressed due to low confidence (1)
javascript/ql/lib/Expressions/DOMProperties.qll:14
- [nitpick] The variable name
domNodeimplies a DOM AST node but actually refers to a data-flow source; consider renaming it tosourceNodeorpropSourceNodefor clearer intent.
exists(DataFlow::SourceNode domNode | isDomNode(domNode) |
Napalys
force-pushed
the
js/dom_property_access
branch
3 times, most recently
from
201ee08 to
59fe03f
Compare
Napalys
force-pushed
the
js/dom_property_access
branch
from
59fe03f to
1f256ab
Compare
Napalys
changed the title
isDomPropertyuseless-expression query to avoid duplicate alerts on compound expressions
asgerf
reviewed
Jun 2, 2025
Napalys
force-pushed
the
js/dom_property_access
branch
from
15b1dae to
aac56e0
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Napalys
force-pushed
the
js/dom_property_access
branch
from
8bd817c to
c97da2e
Compare
asgerf
reviewed
Jun 10, 2025
Co-authored-by: Asger F <asgerf@github.com>
Co-authored-by: Asger F <asgerf@github.com>
Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>
asgerf
approved these changes
Jun 10, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR improves the
js/useless-expressionquery by adding logic to avoid flagging compound expressions that may contain sub-expressions with side effects.