hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Change note

Browse Source
This commit is contained in:
Asger Feldthaus
2020-11-25 14:39:40 +00:00
parent e42ca881a3
commit 544b3d9631
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/change-notes/2020-11-25-prototype-pollution.md Normal file
View File

@@ -0,0 +1,10 @@
lgtm,codescanning
* Detection of prototype pollution has improved and the queries involved have been reorganized:
* A new query "Prototype-polluting assignment" (`js/prototype-polluting-assignment`) has been added. This query
highlights direct modifications of an object obtained via a user-controlled property name, which may accidentally alter `Object.prototype`.
* The query previously named "Prototype pollution" (`js/prototype-pollution`) has been renamed to "Prototype-polluting merge call".
This highlights indirect modification of `Object.prototype` via an unsafe `merge` call taking a user-controlled object as argument.
* The query previously named "Prototype pollution in utility function" (`js/prototype-pollution-utility`) has been renamed to "Prototype-polluting function".
This query highlights the implementation of an unsafe `merge` function, to ensure a robust API is exposed downstream.
* The prototype pollution queries have been moved to the Security/CWE-915 folder,
and tagged with CWE-079, CWE-094, CWE-400, and CWE-915.