CodeQL JavaScript local data flow

Hi, I’m following the tutorial on CodeQL for JavaScript and tested the query to find all references to properties of process.argv:

import javascript

select DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyReference()

Now, a reference for the following code: var args = process.argv[2] is found, whereas for the code shown in the tutorial:

var args = process.argv;
var firstArg = args[2];

no results are produced for me, even though there should be according to the tutorial. What am I missing here? I’m on CodeQL command-line toolchain release 2.4.4 and am on commit ce1d8ded22b in the CodeQL repo.

Hi MaxSchlueter,

It turns out that code snippet doesn’t work if that’s the entire contents of the JS file, because CodeQL won’t recognize it as a Node.js module.

I’ll try to update the tutorial to use a snippet that can be used in isolation, but for now you can test on this:

const fs = require('fs');

let args = process.argv;
let firstArg = args[2];