UnvalidatedDynamicMethodCall query does not detect flow inside try/catch

[fguisso]

Hi CodeQL team 👋

I'm currently building some training challenges for developers to help them identify insecure dynamic method calls. I designed one of the exercises based on the UnvalidatedDynamicMethodCall alert.

However, I noticed that the vulnerability I created was not detected by the query. After a lot of debugging, I suspect the query does not handle taint flow properly when the logic is inside arrow functions.

• The vulnerable code uses an Express route with an arrow function as the handler.
• Inside the arrow function, I access req.params.action and use it to dynamically invoke a method: userManager[action](...).
• This allows access to both regular and admin-only methods of the userManager object.

Unfortunately, this pattern wasn't flagged by the query, even though it's clearly unsafe.

I'm still learning how CodeQL queries work, and I'm not very experienced with the query language yet. I'd really appreciate any help understanding why this scenario is missed, and how I might contribute a feature for it.

I'd love to open a PR — just need some guidance on how to proceed the right way.

update: I have tested here like @rvermeulen said and the catch is the try/catch.

git blaming cc: @asgerf

[rvermeulen]

Hi @fguisso,

Thanks for your question.
It seems our query excludes dynamic calls in try-catch clauses. I'm not sure why that is the case so I will reach out to the JavaScript team. Stay tuned!