Merge pull request #1311 from emarteca/unreachableThrows

semmle-qlci · web-flow · commit 9653fbd4f7aa · 2019-05-09T10:37:41.000+01:00
Approved by xiemaisi
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -38,6 +38,7 @@
 | Server-side URL redirect       | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
 | Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |
 | Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
+| Unreachable statement | Unreachable throws no longer give an alert | This ignores unreachable throws, as they could be intentional (for example, to placate the TS compiler). |
 
 ## Changes to QL libraries
 
diff --git a/javascript/ql/src/Statements/UnreachableStatement.ql b/javascript/ql/src/Statements/UnreachableStatement.ql
@@ -26,5 +26,7 @@ where
   // ignore ambient statements
   not s.isAmbient() and
   // ignore empty statements
-  not s instanceof EmptyStmt
+  not s instanceof EmptyStmt and 
+  // ignore unreachable throws
+  not s instanceof ThrowStmt
 select s.(FirstLineOf), "This statement is unreachable."
diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js
@@ -73,3 +73,9 @@ function f(){
 		return z;
 	}; // ';' is unreachable, but alert is squelched
 }
+
+// test for unreachable throws
+function z() {
+	return 10;
+	throw new Error(); // this throws is unreachable, but alert should not be produced
+}
