recognize alert messages defined in the where clause

Author: erik-krogh

ql/ql/src/codeql_ql/ast/Ast.qll

@@ -1403,6 +1403,14 @@ class ComparisonFormula extends TComparisonFormula, Formula {
     or
     pred = directMember("getRightOperand") and result = this.getRightOperand()
   }
+
+  /** Hplds if this comparison has the operands `a` and `b` (in any order). */
+  pragma[noinline]
+  predicate hasOperands(Expr a, Expr b) {
+    this.getLeftOperand() = a and this.getRightOperand() = b
+    or
+    this.getLeftOperand() = b and this.getRightOperand() = a
+  }
 }
 
 /** A quantifier formula, such as `exists` or `forall`. */

ql/ql/src/queries/style/AlertMessage.ql

@@ -10,17 +10,21 @@
 
 import ql
 
+AstNode getASubExpression(Select sel) {
+  result = sel.getExpr(_)
+  or
+  result = getASubExpression(sel).getAChild()
+}
+
 /** Gets the `index`th part of the select statement. */
 private AstNode getSelectPart(Select sel, int index) {
   result =
     rank[index](AstNode n, Location loc |
       (
-        n.getParent*() = sel.getExpr(_) and loc = n.getLocation()
+        n = getASubExpression(sel) and loc = n.getLocation()
         or
         // the strings are behind a predicate call.
-        exists(Call c, Predicate target |
-          c.getParent*() = sel.getExpr(_) and loc = c.getLocation()
-        |
+        exists(Call c, Predicate target | c = getASubExpression(sel) and loc = c.getLocation() |
           c.getTarget() = target and
           (
             target.getBody().(ComparisonFormula).getAnOperand() = n
@@ -30,6 +34,14 @@ private AstNode getSelectPart(Select sel, int index) {
             )
           )
         )
+        or
+        // the string is a variable that is assigned in the `where` clause.
+        exists(VarAccess v, ComparisonFormula comp, String str |
+          v = getASubExpression(sel) and
+          loc = v.getLocation() and
+          comp.hasOperands(v.getDeclaration().getAnAccess(), str) and
+          n = str
+        )
       )
     |
       n