Missing "Cross-window communication with unrestricted target origin" because of wrapping by (javascript) blockstatement

[Anemone95]

Hi,

I am using CodeQL 2.20.6, there is the code:

// {
    const t = {};
    const r = localStorage.getItem("pw_uuid");
    r && JSON.parse(r).data && (t.uuid = JSON.parse(r).data);
    window.parent.postMessage(JSON.stringify({
        type: "_pwUserDataReady",
        key: "",
        data: t
    }), "*");
// }

Where CodeQL should give me a "Cross-window communication with unrestricted target origin" alert but it doesn't.

If I remove the first and last line comments, i.e., wrapping by a block as the code is:

{
    const t = {};
    const r = localStorage.getItem("pw_uuid");
    r && JSON.parse(r).data && (t.uuid = JSON.parse(r).data);
    window.parent.postMessage(JSON.stringify({
        type: "_pwUserDataReady",
        key: "",
        data: t
    }), "*");
}

It does give me one:

"Cross-window communication with unrestricted target origin", "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks.", "error","[[""Sensitive data""|""relative:///iframe.js:3:15:3:45""]] is sent to another window without origin restriction.","/iframe.js", "5", "31", "9", "6"

This issue looks the same with #18652 but it should be fixed in 2.20.6, shouldn't it?

[asgerf]

Hi @Anemone95,

Thanks for reporting this. The underlying issue here is that global variables are tracked less precisely than local variables, and the block statement turns t and r into local variables. We're the aware of the reduced precision for global variables.

[Anemone95]

Got it. Thank you for your answer~