ignore sources named "code"

erik-krogh · erik-krogh · commit 0f2e6c72fe66 · 2021-05-06T15:47:25.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll
@@ -22,7 +22,10 @@ module UnsafeCodeConstruction {
    * A parameter of an exported function, seen as a source.
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
-    ExternalInputSource() { this = Exports::getALibraryInputParameter() }
+    ExternalInputSource() {
+      this = Exports::getALibraryInputParameter() and
+      not this.getName() = "code"
+    }
   }
 
   /**
