From 5f5af4a29e81955f76da5a13c3281bdbc0468a0d Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Mon, 3 Jan 2022 18:21:16 -0500 Subject: [PATCH] Move change notes to correct location A few change notes slipped through the cracks of my previous change. These are now in the proper locations: `old-change-notes` for older notes, and `\ql\[src|lib]\change-notes` for current change notes. --- .../2021-10-07-cleartext-transmission.md | 0 .../{ => ql/src}/change-notes/2021-11-08-routing-trees.md | 4 +++- .../2021-12-07-handlebars-more-raw-interpolation.md | 4 +++- python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md | 4 ++++ .../{ => ql/src}/change-notes/2021-12-17-add-SSRF-queries.md | 5 +++-- ruby/{ => ql/lib}/change-notes/2021-12-21-constants.md | 4 +++- 6 files changed, 16 insertions(+), 5 deletions(-) rename cpp/{change-notes => old-change-notes}/2021-10-07-cleartext-transmission.md (100%) rename javascript/{ => ql/src}/change-notes/2021-11-08-routing-trees.md (89%) rename javascript/{ => ql/src}/change-notes/2021-12-07-handlebars-more-raw-interpolation.md (84%) create mode 100644 python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md rename python/{ => ql/src}/change-notes/2021-12-17-add-SSRF-queries.md (67%) rename ruby/{ => ql/lib}/change-notes/2021-12-21-constants.md (86%) diff --git a/cpp/change-notes/2021-10-07-cleartext-transmission.md b/cpp/old-change-notes/2021-10-07-cleartext-transmission.md similarity index 100% rename from cpp/change-notes/2021-10-07-cleartext-transmission.md rename to cpp/old-change-notes/2021-10-07-cleartext-transmission.md diff --git a/javascript/change-notes/2021-11-08-routing-trees.md b/javascript/ql/src/change-notes/2021-11-08-routing-trees.md similarity index 89% rename from javascript/change-notes/2021-11-08-routing-trees.md rename to javascript/ql/src/change-notes/2021-11-08-routing-trees.md index 5fa13a1bef6..e51ce23f70f 100644 --- a/javascript/change-notes/2021-11-08-routing-trees.md +++ b/javascript/ql/src/change-notes/2021-11-08-routing-trees.md @@ -1,3 +1,5 @@ -lgtm,codescanning +--- +category: minorAnalysis +--- * Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`. * `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives. diff --git a/javascript/change-notes/2021-12-07-handlebars-more-raw-interpolation.md b/javascript/ql/src/change-notes/2021-12-07-handlebars-more-raw-interpolation.md similarity index 84% rename from javascript/change-notes/2021-12-07-handlebars-more-raw-interpolation.md rename to javascript/ql/src/change-notes/2021-12-07-handlebars-more-raw-interpolation.md index 7eb075550fa..e72b4adc2a6 100644 --- a/javascript/change-notes/2021-12-07-handlebars-more-raw-interpolation.md +++ b/javascript/ql/src/change-notes/2021-12-07-handlebars-more-raw-interpolation.md @@ -1,3 +1,5 @@ -lgtm,codescanning +--- +category: minorAnalysis +--- * Support for handlebars templates has improved. Raw interpolation tags of the form `{{& ... }}` are now recognized, as well as whitespace-trimming tags like `{{~ ... }}`. diff --git a/python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md b/python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md new file mode 100644 index 00000000000..1b50aa9ace8 --- /dev/null +++ b/python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md @@ -0,0 +1,4 @@ +--- +catgegory: minorAnalysis +--- +* To support the new SSRF queries, the PyPI package `requests` has been modeled, along with `http.client.HTTP[S]Connection` from the standard library. diff --git a/python/change-notes/2021-12-17-add-SSRF-queries.md b/python/ql/src/change-notes/2021-12-17-add-SSRF-queries.md similarity index 67% rename from python/change-notes/2021-12-17-add-SSRF-queries.md rename to python/ql/src/change-notes/2021-12-17-add-SSRF-queries.md index d2a5e3b5312..af7da32ead4 100644 --- a/python/change-notes/2021-12-17-add-SSRF-queries.md +++ b/python/ql/src/change-notes/2021-12-17-add-SSRF-queries.md @@ -1,3 +1,4 @@ -lgtm,codescanning +--- +catgegory: newQuery +--- * Two new queries have been added for detecting Server-side request forgery (SSRF). _Full server-side request forgery_ (`py/full-ssrf`) will only alert when the URL is fully user-controlled, and _Partial server-side request forgery_ (`py/partial-ssrf`) will alert when any part of the URL is user-controlled. Only `py/full-ssrf` will be run by default. -* To support the new SSRF queries, the PyPI package `requests` have been modeled, along with `http.client.HTTP[S]Connection` from the standard library. diff --git a/ruby/change-notes/2021-12-21-constants.md b/ruby/ql/lib/change-notes/2021-12-21-constants.md similarity index 86% rename from ruby/change-notes/2021-12-21-constants.md rename to ruby/ql/lib/change-notes/2021-12-21-constants.md index 29ee123d914..331078917e9 100644 --- a/ruby/change-notes/2021-12-21-constants.md +++ b/ruby/ql/lib/change-notes/2021-12-21-constants.md @@ -1,2 +1,4 @@ -lgtm,codescanning +--- +category: deprecated +--- * `ConstantWriteAccess.getQualifiedName()` has been deprecated in favor of `getAQualifiedName()` which can return multiple possible qualified names for a given constant write access.