CodeQL documentation

Misleading indentation after control statement

ID: js/misleading-indentation-after-control-statement
Kind: problem
Security severity: 
Severity: warning
Precision: very-high
Tags:
   - correctness
   - statistical
   - non-attributable
   - external/cwe/cwe-483
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Loop bodies and the ‘then’ and ‘else’ branches of if statements can either be block statements delimited by curly braces, or simple statements. In the latter case, special care must be taken to correctly indent statements to indicate whether or not they belong to the body of the loop or the if statement. In particular, the statement immediately after the loop or if statement should not be indented by the same amount as the body to avoid misunderstanding of the control flow structure.

Recommendation

Use additional indentation to set loop bodies and then/else branches apart, but use the same amount of indentation for statements that follow each other in a sequence of statements.

Example

In this example, the ‘then’ branch of the if statement consists of the single statement scream();. Indentation makes it appear as if the statement runAway(); also belongs to the ‘then’ branch, while in fact it does not: it is simply the next statement after the if, and will be executed regardless of whether the condition afraid() evaluates to true or false.

if (afraid())
	scream();
	runAway();

If both statements were intended to be part of the ‘then’ branch, they should be enclosed in a block of statements like this:

if (afraid()) {
	scream();
	runAway();
}

If the second statement does not logically belong in the ‘then’ branch, its indentation should be decreased like this:

if (afraid())
	scream();
runAway();

References

  • © GitHub, Inc.
  • Terms
  • Privacy