Merge branch 'main' into sidshank/ts-5.6-update

javascript/ql/integration-tests/all-platforms/no-types/qlpack.yml

@@ -1,3 +0,0 @@
-dependencies:
-  codeql/javascript-all: '*'
-warnOnImplicitThis: true

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.1.3
+
+No user-facing changes.
+
 ## 1.1.2
 
 No user-facing changes.

javascript/ql/lib/change-notes/2024-09-03-outdated-deprecations.md

@@ -0,0 +1,10 @@
+---
+category: breaking
+---
+* Deleted the deprecated `isHTMLElement` and `getDOMName` predicates from the JSX library, use `isHtmlElement` and `getDomName` respectively instead.
+* Deleted the deprecated `getPackageJSON` predicate from the `SourceMappingComment` class, use `SourceMappingComment` instead.
+* Deleted many deprecated directives from the `Stmt.qll` file, use the `Directive::` module instead.
+* Deleted the deprecated `YAMLNode`, `YAMLValue`, and `YAMLScalar` classes from the YAML libraries, use `YamlNode`, `YamlValue`, and `YamlScalar` respectively instead.
+* Deleted the deprecated `getARouteHandlerExpr` predicate from `Connect.qll`, use `getARouteHandlerNode` instead.
+* Deleted the deprecated `getGWTVersion` predicate from `GWT.qll`, use `getGwtVersion` instead.
+* Deleted the deprecated `getOwnOptionsObject` predicate from  `Vue.qll`, use `getOwnOptions().getASink()` instead.

javascript/ql/lib/change-notes/released/1.1.3.md

@@ -0,0 +1,3 @@
+## 1.1.3
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.2
+lastReleaseVersion: 1.1.3

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 1.1.3-dev
+version: 1.1.4-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/lib/semmle/javascript/JSX.qll

@@ -73,9 +73,6 @@ class JsxElement extends JsxNode {
    * That is, the name starts with a lowercase letter.
    */
   predicate isHtmlElement() { this.getName().regexpMatch("[a-z].*") }
-
-  /** DEPRECATED: Alias for isHtmlElement */
-  deprecated predicate isHTMLElement() { this.isHtmlElement() }
 }
 
 /**
@@ -256,7 +253,4 @@ class JsxPragma extends JSDocTag {
    * the result is `React.DOM`.
    */
   string getDomName() { result = this.getDescription().trim() }
-
-  /** DEPRECATED: Alias for getDomName */
-  deprecated string getDOMName() { result = this.getDomName() }
 }

javascript/ql/lib/semmle/javascript/NodeJS.qll

@@ -295,6 +295,15 @@ private predicate isRequire(DataFlow::Node nd) {
     isCreateRequire(call.getCallee().flow()) and
     nd = call.flow()
   )
+  or
+  // `$.require('underscore');`.
+  // NPM as supported in [XSJS files](https://www.npmjs.com/package/@sap/async-xsjs#npm-packages-support).
+  exists(MethodCallExpr require |
+    nd.getFile().getExtension() = ["xsjs", "xsjslib"] and
+    require.getCalleeName() = "require" and
+    require.getReceiver().(GlobalVarAccess).getName() = "$" and
+    nd = require.getCallee().flow()
+  )
 }
 
 /**

javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll

@@ -197,9 +197,6 @@ class MainModulePath extends PathExpr, @json_string {
     not exists(getExportRelativePath(this)) and result = "."
   }
 
-  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }
-
   override string getValue() { result = this.(JsonString).getValue() }
 
   override Folder getAdditionalSearchRoot(int priority) {
@@ -258,9 +255,6 @@ private class FilesPath extends PathExpr, @json_string {
   /** Gets the `package.json` file in which this path occurs. */
   PackageJson getPackageJson() { result = pkg }
 
-  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }
-
   override string getValue() { result = this.(JsonString).getValue() }
 
   override Folder getAdditionalSearchRoot(int priority) {

javascript/ql/lib/semmle/javascript/SourceMaps.qll

@@ -23,7 +23,4 @@ class SourceMappingComment extends Comment {
 
   /** Gets the URL of the source map referenced by this comment. */
   string getSourceMappingUrl() { result = url }
-
-  /** DEPRECATED: Alias for getSourceMappingUrl */
-  deprecated string getSourceMappingURL() { result = this.getSourceMappingUrl() }
 }

javascript/ql/lib/semmle/javascript/Stmt.qll

@@ -434,36 +434,6 @@ module Directive {
   }
 }
 
-/** DEPRECATED. Use `Directive::KnownDirective` instead. */
-deprecated class KnownDirective = Directive::KnownDirective;
-
-/** DEPRECATED. Use `Directive::StrictModeDecl` instead. */
-deprecated class StrictModeDecl = Directive::StrictModeDecl;
-
-/** DEPRECATED. Use `Directive::AsmJSDirective` instead. */
-deprecated class AsmJSDirective = Directive::AsmJSDirective;
-
-/** DEPRECATED. Use `Directive::BabelDirective` instead. */
-deprecated class BabelDirective = Directive::BabelDirective;
-
-/** DEPRECATED. Use `Directive::SixToFiveDirective` instead. */
-deprecated class SixToFiveDirective = Directive::SixToFiveDirective;
-
-/** DEPRECATED. Use `Directive::SystemJSFormatDirective` instead. */
-deprecated class SystemJSFormatDirective = Directive::SystemJSFormatDirective;
-
-/** DEPRECATED. Use `Directive::NgInjectDirective` instead. */
-deprecated class NgInjectDirective = Directive::NgInjectDirective;
-
-/** DEPRECATED. Use `Directive::YuiDirective` instead. */
-deprecated class YuiDirective = Directive::YuiDirective;
-
-/** DEPRECATED. Use `Directive::SystemJSDepsDirective` instead. */
-deprecated class SystemJSDepsDirective = Directive::SystemJSDepsDirective;
-
-/** DEPRECATED. Use `Directive::BundleDirective` instead. */
-deprecated class BundleDirective = Directive::BundleDirective;
-
 /**
  * An `if` statement.
  *

javascript/ql/lib/semmle/javascript/YAML.qll

@@ -54,12 +54,3 @@ private class MyYmlNode extends Locatable instanceof YamlNode {
 
   override string toString() { result = YamlNode.super.toString() }
 }
-
-/** DEPRECATED: Alias for YamlNode */
-deprecated class YAMLNode = YamlNode;
-
-/** DEPRECATED: Alias for YamlValue */
-deprecated class YAMLValue = YamlValue;
-
-/** DEPRECATED: Alias for YamlScalar */
-deprecated class YAMLScalar = YamlScalar;

javascript/ql/lib/semmle/javascript/frameworks/Connect.qll

@@ -88,12 +88,6 @@ module Connect {
 
     override DataFlow::Node getServer() { result = server }
 
-    /**
-     * DEPRECATED: Use `getARouteHandlerNode` instead.
-     * Gets an argument that represents a route handler being registered.
-     */
-    deprecated Expr getARouteHandlerExpr() { result = this.getARouteHandlerNode().asExpr() }
-
     /**
      * Gets an argument that represents a route handler being registered.
      */

javascript/ql/lib/semmle/javascript/frameworks/GWT.qll

@@ -28,9 +28,6 @@ class GwtHeader extends InlineScript {
       result = e.getStringValue()
     )
   }
-
-  /** DEPRECATED: Alias for getGwtVersion */
-  deprecated string getGWTVersion() { result = this.getGwtVersion() }
 }
 
 /**

javascript/ql/lib/semmle/javascript/frameworks/Vue.qll

@@ -183,14 +183,6 @@ module Vue {
       result = this.getAsClassComponent().getDecoratorOptions()
     }
 
-    /**
-     * DEPRECATED. Use `getOwnOptions().getASink()`.
-     *
-     * Gets the options passed to the Vue object, such as the object literal `{...}` in `new Vue{{...})`
-     * or the default export of a single-file component.
-     */
-    deprecated DataFlow::Node getOwnOptionsObject() { result = this.getOwnOptions().asSink() }
-
     /**
      * Gets the class implementing this Vue component, if any.
      *

javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml

@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
-      pack: codeql/javascript-queries
+      pack: codeql/javascript-all
       extensible: requiredHelmetSecuritySetting
     data:
       - ["frameguard"]

javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll

@@ -0,0 +1,41 @@
+/**
+ * Provides classes for working with Helmet
+ */
+
+private import javascript
+
+/**
+ * A write to a property of a route handler from the "helmet" module.
+ */
+class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
+  ExpressLibraries::HelmetRouteHandler helmet;
+
+  HelmetProperty() {
+    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
+  }
+
+  /**
+   * Gets the route handler associated to this property.
+   */
+  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
+
+  /**
+   * Gets the boolean value of this property, if it may evaluate to a `Boolean`.
+   */
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
+
+  /**
+   * Gets the name of the `HelmetProperty`.
+   */
+  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
+
+  /**
+   * read from data extensions to allow enforcing custom settings
+   */
+  predicate isImportantSecuritySetting() { requiredHelmetSecuritySetting(this.getName()) }
+}
+
+/**
+ * defaults are located in `javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml`
+ */
+extensible predicate requiredHelmetSecuritySetting(string name);

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Message events in the browser are now properly classified as client-side taint sources. Previously they were
+  incorrectly classified as server-side taint sources, which resulted in some alerts being reported by
+  the wrong query, such as server-side URL redirection instead of client-side URL redirection.
+
 ## 1.1.1
 
 No user-facing changes.

javascript/ql/src/Security/CWE-693/CUSTOMIZING.md

@@ -24,7 +24,7 @@ A suitable [model pack](https://docs.github.com/en/code-security/codeql-cli/usin
 name: my-org/javascript-helmet-insecure-config-model-pack
 version: 1.0.0
 extensionTargets:
-  codeql/java-all: '*'
+  codeql/javascript-all: '*'
 dataExtensions:
   - models/**/*.yml
 ```

javascript/ql/src/Security/CWE-693/InsecureHelmet.ql

@@ -12,30 +12,8 @@
  */
 
 import javascript
-import DataFlow
 import semmle.javascript.frameworks.ExpressModules
-
-class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
-  ExpressLibraries::HelmetRouteHandler helmet;
-
-  HelmetProperty() {
-    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
-  }
-
-  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
-
-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
-
-  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
-
-  predicate isImportantSecuritySetting() {
-    // read from data extensions to allow enforcing custom settings
-    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
-    requiredHelmetSecuritySetting(this.getName())
-  }
-}
-
-extensible predicate requiredHelmetSecuritySetting(string name);
+import semmle.javascript.frameworks.helmet.Helmet
 
 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
 where

javascript/ql/src/change-notes/released/1.1.2.md

@@ -1,6 +1,7 @@
----
-category: minorAnalysis
----
+## 1.1.2
+
+### Minor Analysis Improvements
+
 * Message events in the browser are now properly classified as client-side taint sources. Previously they were
   incorrectly classified as server-side taint sources, which resulted in some alerts being reported by
   the wrong query, such as server-side URL redirection instead of client-side URL redirection.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.1.2-dev
+version: 1.1.3-dev
 groups:
   - javascript
   - queries

javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected

@@ -9,3 +9,4 @@
 | tst.js:35:13:35:43 | crypto. ... an(512) | Creation of an asymmetric key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:39:13:39:33 | new Nod ... : 512}) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:43:1:43:31 | key.gen ...  65537) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
+| tst.xsjs:3:14:3:71 | crypto. ... 1024 }) | Creation of an asymmetric RSA key uses 1024 bits, which is below 2048 and considered breakable. |

javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs

@@ -0,0 +1,5 @@
+const crypto = $.require("crypto");
+
+const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // NOT OK
+
+const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK

javascript/ql/test/tutorials/Validating RAML-based APIs/Osprey.qll

@@ -47,9 +47,6 @@ class OspreyMethodDefinition extends MethodCallExpr {
   /** Get the API to which this method belongs. */
   OspreyApi getApi() { this.getReceiver() = result.getAnAccess() }
 
-  /** DEPRECATED: Alias for getApi */
-  deprecated OspreyApi getAPI() { result = this.getApi() }
-
   /** Get the verb which this method implements. */
   string getVerb() { result = this.getMethodName() }