Missing code injection TP in JavaScript rule

[Anemone95]

The thing is, if I have this code:

JSON.parse = function(text, reviver) {
    j = eval("(" + text + ")");
};
JSON.parse(window.location.href);

CodeQL reported an alert:

"Code injection","Interpreting unsanitized user input as code allows a malicious user arbitrary code execution.","error","This code execution depends on a [[""user-provided value""|""relative:///test.js:5:12:5:31""]].","/test.js","3","14","3","29"

But if I separate the file saying:
./lib1.js:

JSON.parse = function(text, reviver) {
    j = eval("(" + text + ")");
};

./main.js

require("./lib1");
// JSON.parse = function(text, reviver) {
//     j = eval("(" + text + ")");
// };
JSON.parse(window.location.href);

I can't get that alert anymore. Why did that happen?

I was using codeql and query pack version release 2.20.4.

[hvitved]

@github/codeql-javascript : Would you be able to take a look, please?

[asgerf]

Hi @Anemone95. Thanks for the report.

This is a known limitation in the analysis at the moment. It occurs when a global access path is assigned in multiple files, or as in this case, a global access path assignment clashes with a built-in function.

[Anemone95]

I see. I thought it similarly, maybe as a trade-off for precision and scalability. Thanks for your answer!