hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Release preparation for version 2.18.1"

Browse Source
This commit is contained in:
Chuan-kai Lin
2024-07-22 13:22:49 -07:00
committed by GitHub
parent 81ab2025a1
commit 23320b6e5e
155 changed files with 145 additions and 406 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/src/CHANGELOG.md
View File

@@ -1,17 +1,3 @@
## 1.1.0
### New Queries
* Added a new query, `js/insecure-helmet-configuration`, to detect instances where Helmet middleware is configured with important security features disabled.
### Minor Analysis Improvements
* Added a new query, `js/functionality-from-untrusted-domain`, which detects uses in HTML and JavaScript scripts from untrusted domains, including the `polyfill.io` content delivery network
* it can be extended to detect other compromised scripts using user-provided data extensions of the `untrustedDomain` predicate, which takes one string argument with the domain to warn on (and will warn on any subdomains too).
* Modified existing query, `js/functionality-from-untrusted-source`, to allow adding this new query, but reusing the same logic
* Added the ability to use data extensions to require SRI on CDN hostnames using the `isCdnDomainWithCheckingRequired` predicate, which takes one string argument of the full hostname to require SRI for.
* Created a new library, `semmle.javascript.security.FunctionalityFromUntrustedSource`, to support both queries.
## 1.0.3
### Minor Analysis Improvements

4
javascript/ql/src/change-notes/2024-06-19-insecure-helmet-config.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: newQuery
---
* Added a new query, `js/insecure-helmet-configuration`, to detect instances where Helmet middleware is configured with important security features disabled.

11
javascript/ql/src/change-notes/released/1.1.0.md → javascript/ql/src/change-notes/2024-07-08-functionality-from-untrusted-domain.md
View File

@@ -1,11 +1,6 @@
## 1.1.0
### New Queries
* Added a new query, `js/insecure-helmet-configuration`, to detect instances where Helmet middleware is configured with important security features disabled.
### Minor Analysis Improvements
---
category: minorAnalysis
---
* Added a new query, `js/functionality-from-untrusted-domain`, which detects uses in HTML and JavaScript scripts from untrusted domains, including the `polyfill.io` content delivery network
* it can be extended to detect other compromised scripts using user-provided data extensions of the `untrustedDomain` predicate, which takes one string argument with the domain to warn on (and will warn on any subdomains too).
* Modified existing query, `js/functionality-from-untrusted-source`, to allow adding this new query, but reusing the same logic

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.0
lastReleaseVersion: 1.0.3

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 1.1.0
version: 1.0.4-dev
groups:
- javascript
- queries