From 003b600e2478fb0aaf4db19b61c782d30cae5156 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 4 Sep 2018 13:11:52 +0100 Subject: [PATCH 1/3] TypeScript: disable queries that rely on token information --- javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql | 1 + .../ql/src/LanguageFeatures/SemicolonInsertion.ql | 3 ++- .../MisleadingIndentationAfterControlStmt.ql | 3 ++- .../SemicolonInsertion/template_literal.ts | 12 ++++++++++++ 4 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/template_literal.ts diff --git a/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql b/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql index 48ae4811244..70c89715bf8 100644 --- a/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql +++ b/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql @@ -45,4 +45,5 @@ class OmittedArrayElement extends ArrayExpr { } from OmittedArrayElement ae +where not ae.getFile().getFileType().isTypeScript() // ignore quirks in TypeScript tokenizer select ae, "Avoid omitted array elements." \ No newline at end of file diff --git a/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql b/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql index fc52539be8d..2eef68fe5f4 100644 --- a/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql +++ b/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql @@ -36,7 +36,8 @@ where s.hasSemicolonInserted() and asi = strictcount(Stmt ss | asi(sc, ss, true)) and nstmt = strictcount(Stmt ss | asi(sc, ss, _)) and perc = ((1-asi/nstmt)*100).floor() and - perc >= 90 + perc >= 90 and + not s.getFile().getFileType().isTypeScript() // ignore some quirks in the TypeScript tokenizer select (LastLineOf)s, "Avoid automated semicolon insertion " + "(" + perc + "% of all statements in $@ have an explicit semicolon).", sc, "the enclosing " + sctype \ No newline at end of file diff --git a/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql b/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql index 0629224ed50..84e11138f7b 100644 --- a/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql +++ b/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql @@ -39,6 +39,7 @@ where misleadingIndentationCandidate(ctrl, s1, s2) and f.hasIndentation(ctrlStartLine, indent, _) and f.hasIndentation(startLine1, indent, _) and f.hasIndentation(startLine2, indent, _) and - not s2 instanceof EmptyStmt + not s2 instanceof EmptyStmt and + not f.getFileType().isTypeScript() // ignore quirks in TypeScript tokenizer select (FirstLineOf)s2, "The indentation of this statement suggests that it is controlled by $@, while in fact it is not.", (FirstLineOf)ctrl, "this statement" \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/template_literal.ts b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/template_literal.ts new file mode 100644 index 00000000000..01ce984f8e3 --- /dev/null +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/template_literal.ts @@ -0,0 +1,12 @@ +function foo(arg) { + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(arg); + console.log(`Unknown option '${arg}'.`); +} From 2b8bc63b01b6da9dd5d85204ce9c16c001b63445 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 4 Sep 2018 14:23:37 +0100 Subject: [PATCH 2/3] TypeScript: add change note --- change-notes/1.18/analysis-javascript.md | 1 + 1 file changed, 1 insertion(+) diff --git a/change-notes/1.18/analysis-javascript.md b/change-notes/1.18/analysis-javascript.md index 733e3b25bad..efbc286cd68 100644 --- a/change-notes/1.18/analysis-javascript.md +++ b/change-notes/1.18/analysis-javascript.md @@ -108,6 +108,7 @@ | Missing rate limiting | More true-positive results, fewer false-positive results | This rule now recognizes additional rate limiters and expensive route handlers. | | Missing X-Frame-Options HTTP header | Fewer false-positive results | This rule now treats header names case-insensitively. | | Reflected cross-site scripting | Fewer false-positive results | This rule now treats header names case-insensitively. | +| Semicolon insertion | Fewer results | This rule now ignores TypeScript files as it did not work correctly. | | Server-side URL redirect | More true-positive results | This rule now treats header names case-insensitively. | | Superfluous trailing arguments | Fewer false-positive results | This rule now ignores calls to some empty functions. | | Type confusion through parameter tampering | Fewer false-positive results | This rule no longer flags emptiness checks. | From 6ceb10371a34415f2b12d8aa64f2f48e5661d48c Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 4 Sep 2018 15:06:04 +0100 Subject: [PATCH 3/3] TypeScript: rephrase change note --- change-notes/1.18/analysis-javascript.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/change-notes/1.18/analysis-javascript.md b/change-notes/1.18/analysis-javascript.md index efbc286cd68..74759bf2ba9 100644 --- a/change-notes/1.18/analysis-javascript.md +++ b/change-notes/1.18/analysis-javascript.md @@ -105,10 +105,12 @@ | Hard-coded credentials | More true-positive results | This rule now recognizes secret cryptographic keys. | | Incomplete string escaping or encoding | Better name, more true-positive results | This rule has been renamed to more clearly reflect its purpose. Also, it now recognizes incomplete URL encoding and decoding. | | Insecure randomness | More true-positive results | This rule now recognizes secret cryptographic keys. | +| Misleading indentation after control statement | Fewer results | This rule temporarily ignores TypeScript files. | | Missing rate limiting | More true-positive results, fewer false-positive results | This rule now recognizes additional rate limiters and expensive route handlers. | | Missing X-Frame-Options HTTP header | Fewer false-positive results | This rule now treats header names case-insensitively. | +| Omitted array element | Fewer results | This rule temporarily ignores TypeScript files. | | Reflected cross-site scripting | Fewer false-positive results | This rule now treats header names case-insensitively. | -| Semicolon insertion | Fewer results | This rule now ignores TypeScript files as it did not work correctly. | +| Semicolon insertion | Fewer results | This rule temporarily ignores TypeScript files. | | Server-side URL redirect | More true-positive results | This rule now treats header names case-insensitively. | | Superfluous trailing arguments | Fewer false-positive results | This rule now ignores calls to some empty functions. | | Type confusion through parameter tampering | Fewer false-positive results | This rule no longer flags emptiness checks. |