From 414bd40c41350c675d89027162a8b533e43da164 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Tue, 25 Oct 2022 11:27:52 +0200
Subject: [PATCH] JS: Do not track returned values out of the enclosing
 function

---
 javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
index 2449f8a8eb88..047492790602 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
@@ -1197,7 +1197,8 @@ private predicate reachesReturn(
   exists(DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary |
     flowStep(read, cfg, mid, oldSummary) and
     reachesReturn(f, mid, cfg, newSummary) and
-    summary = oldSummary.append(newSummary)
+    summary = oldSummary.append(newSummary) and
+    pragma[only_bind_out](summary).isLevel()
   )
 }