Is there a way to find possible paths from a source node in JavaScript?

[yonajix]

Hi, I'm working on a project using CodeQL for finding vulnerabilities in JavaScript. Right now I'm dealing with code with known CVEs and I want to investigate the cause of several of the security queries that find source and sink nodes being unable to establish a path between the two even when one should exist.

I'm not sure if there is a way to find all possible paths emanating from source nodes, or paths that flow into sink nodes. I believe this would help me identify gaps in the queries I'm working with.

Thank you!

[aibaars]

One trick that might work is to make a query that restricts the source to a single one and the sink to be any(). That should help if you know which source was responsible for the CVE and explore all the flow paths starting from there. You can also do the opposite to explore from where data may flow into a single sink node.