From 86925646f302641902515c0eaf63b155771c9636 Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Tue, 28 Feb 2023 12:01:25 +0100
Subject: [PATCH] ReflectedXss: Prevent bad join order

---
 .../security/dataflow/ReflectedXssCustomizations.qll      | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
index a91f21f7c23c..4c466d1e7912 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -103,6 +103,12 @@ module ReflectedXss {
     )
   }
 
+  bindingset[headerBlock]
+  pragma[inline_late]
+  private predicate doesNotDominateCallback(ReachableBasicBlock headerBlock) {
+    not exists(Expr e | e instanceof Function | headerBlock.dominates(e.getBasicBlock()))
+  }
+
   /**
    * Holds if the HeaderDefinition `header` seems to be local.
    * A HeaderDefinition is local if it dominates exactly one `ResponseSendArgument`.
@@ -122,7 +128,7 @@ module ReflectedXss {
           header.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
         ) and
       // doesn't dominate something that looks like a callback.
-      not exists(Expr e | e instanceof Function | headerBlock.dominates(e.getBasicBlock()))
+      doesNotDominateCallback(headerBlock)
     )
   }