Merge branch 'main' into js/shared-dataflow-merge-main

2026-04-28 02:05:14 +02:00 · 2024-08-22 13:22:05 +02:00
parent c66000d2fa a1688f6a1a
commit c54f5858b1
1277 changed files with 120219 additions and 12839 deletions
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.1
+
+No user-facing changes.
+
 ## 1.1.0

 ### New Queries
--- a/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md
+++ b/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md
@@ -24,7 +24,7 @@ A suitable [model pack](https://docs.github.com/en/code-security/codeql-cli/usin
 name: my-org/javascript-helmet-insecure-config-model-pack
 version: 1.0.0
 extensionTargets:
-  codeql/java-all: '*'
+  codeql/javascript-all: '*'
 dataExtensions:
  - models/**/*.yml
 ```
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -12,30 +12,8 @@
 */

 import javascript
-import DataFlow
 import semmle.javascript.frameworks.ExpressModules
-
-class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
-  ExpressLibraries::HelmetRouteHandler helmet;
-
-  HelmetProperty() {
-    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
-  }
-
-  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
-
-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
-
-  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
-
-  predicate isImportantSecuritySetting() {
-    // read from data extensions to allow enforcing custom settings
-    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
-    requiredHelmetSecuritySetting(this.getName())
-  }
-}
-
-extensible predicate requiredHelmetSecuritySetting(string name);
+import semmle.javascript.frameworks.helmet.Helmet

 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
 where
--- a/javascript/ql/src/change-notes/2024-08-16-post-message-source-client-side.md
+++ b/javascript/ql/src/change-notes/2024-08-16-post-message-source-client-side.md
@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Message events in the browser are now properly classified as client-side taint sources. Previously they were
+  incorrectly classified as server-side taint sources, which resulted in some alerts being reported by
+  the wrong query, such as server-side URL redirection instead of client-side URL redirection.
--- a/javascript/ql/src/change-notes/released/1.1.1.md
+++ b/javascript/ql/src/change-notes/released/1.1.1.md
@@ -0,0 +1,3 @@
+## 1.1.1
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.1.1
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.1.1-dev
+version: 1.1.2-dev
 groups:
  - javascript
  - queries