ignore sources named "code"

erik-krogh · erik-krogh · commit 53315e6ab66d · 2022-02-07T13:34:18.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll
@@ -22,7 +22,10 @@ module UnsafeCodeConstruction {
    * A parameter of an exported function, seen as a source.
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
-    ExternalInputSource() { this = Exports::getALibraryInputParameter() }
+    ExternalInputSource() {
+      this = Exports::getALibraryInputParameter() and
+      not this.getName() = "code"
+    }
   }
 
   /**
