hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move older change notes to old-change-notes

Browse Source 
Now that change notes are per-package, new change notes should be created in the `change-notes` folder under the affected pack (e.g., `cpp/ql/src/change-notes` for C++ query change notes. I've moved all of the change note files that were added before we started publishing them in packs to an `old-change-notes` directory under each language, to reduce the temptation to add new change notes there.

I'm working on a document to describe how and when to create change notes for packs separately.
This commit is contained in:
Dave Bartolomeo
2021-12-14 12:35:04 -05:00
parent a62f181d42
commit fa40d59332
401 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/old-change-notes/2020-05-17-prototype-assignment.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The `js/prototype-polluting-assignment` query now flags assignments that may modify
the built-in Object prototype where the property name originates from library input.

7
javascript/old-change-notes/2020-11-06-date-functions.md Normal file
View File

@@ -0,0 +1,7 @@
lgtm,codescanning
* The security queries now track taint through the format string of a date-formatting operation.
Affected packages are
[moment](https://npmjs.com/package/moment),
[moment-timezone](https://npmjs.com/package/moment-timezone),
[date-fns](https://npmjs.com/package/date-fns), and
[dateformat](https://npmjs.com/package/dateformat).

5
javascript/old-change-notes/2020-11-09-jwt.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* The security queries now track taint through JWT decoding, and warns about hard-coded JWT signing keys.
Affected packages are
[jsonwebtoken](https://www.npmjs.com/package/jsonwebtoken) and
[jwt-decode](https://www.npmjs.com/package/jwt-decode)

2
javascript/old-change-notes/2020-11-11-react-hot-loader.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Hot-reloading React component are now recognized. Affects the package `react-hot-loader`.

11
javascript/old-change-notes/2020-11-25-prototype-pollution.md Normal file
View File

@@ -0,0 +1,11 @@
lgtm,codescanning
* We've improved the detection of prototype pollution, and the queries involved have been reorganized:
* A new query "Prototype-polluting assignment" (`js/prototype-polluting-assignment`) has been added. This query
highlights direct modifications of an object obtained via a user-controlled property name, which may accidentally alter `Object.prototype`.
* The query previously named "Prototype pollution" (`js/prototype-pollution`) has been renamed to "Prototype-polluting merge call".
This highlights indirect modification of `Object.prototype` via an unsafe `merge` call taking a user-controlled object as argument.
* The query previously named "Prototype pollution in utility function" (`js/prototype-pollution-utility`) has been renamed to "Prototype-polluting function".
This query highlights the implementation of an unsafe `merge` function, to ensure a robust API is exposed downstream.
* The above queries have been moved to the Security/CWE-915 folder, and assigned the following tags: CWE-078, CWE-079, CWE-094, CWE-400, and CWE-915.
* The query "Type confusion through parameter tampering" (`js/type-confusion-through-parameter-tampering`) now highlights
ineffective prototype pollution checks that can be bypassed by type confusion.

2
javascript/old-change-notes/2020-11-30-loginjection.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/log-injection` query has been moved into non-experimental, and the precision of the query has been changed to medium.

2
javascript/old-change-notes/2020-11-30-nosql.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Database query built from user-controlled sources" (`js/sql-injection`) has been improved to recognize more Mongoose APIs that may interpret untrusted user input as a query.

2
javascript/old-change-notes/2020-12-02-typescript-4.1.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* TypeScript 4.1 is now supported.

2
javascript/old-change-notes/2020-12-09-external-flow-sources.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Custom remote flow sources can now be specified by including a file named `codeql-javascript-remote-flow-sources.json` in your code base. See documentation for more details.

2
javascript/old-change-notes/2020-12-16-build-artifact-leak.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/build-artifact-leak` query no longer reports when only a safe subset of the properties on `process.env` are included in a build-artifact.

9
javascript/old-change-notes/2020-12-16-indirect-cmd-libraries.md Normal file
View File

@@ -0,0 +1,9 @@
lgtm,codescanning
* The `js/indirect-command-line-injection` query now supports more command-line parsing libraries.
Affected packages are
[arg](https://www.npmjs.com/package/arg),
[argparse](https://www.npmjs.com/package/argparse),
[command-line-args](https://www.npmjs.com/package/command-line-args),
[meow](https://www.npmjs.com/package/meow),
[dashdash](https://www.npmjs.com/package/dashdash),
[commander](https://www.npmjs.com/package/commander).

4
javascript/old-change-notes/2020-12-22-execa.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The command injection security queries now recognize additional sinks.
Affected packages are
[execa](https://npmjs.com/package/execa)

3
javascript/old-change-notes/2021-01-04-superliniar-redos.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The `js/polynomial-redos` query has been improved by replacing the algorithm that detects expensive regular expressions.
This change reduces the number of false positives and detects new true positives.

2
javascript/old-change-notes/2021-01-08-js-incomplete-multi-character-sanitization.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Incomplete multi-character sanitization" (`js/incomplete-multi-character-sanitization`) has been improved to produce additional true positives and fewer false positives.

2
javascript/old-change-notes/2021-01-14-polynomial-redos.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/polynomial-redos` query now flags uses of expensive regular expressions where the source is library input.

4
javascript/old-change-notes/2021-01-18-angular-templates.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Support for Angular has improved. Angular templates are now parsed and used to
establish data flow between components.
* Support for RxJS has improved. Taint is now tracked through RxJS Observable objects.

2
javascript/old-change-notes/2021-01-18-server-crash.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/server-crash` query has been added. It highlights servers may be terminated by a malicious user.

2
javascript/old-change-notes/2021-01-21-type-inference-compound.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for modern compound assignments (`||=`, `&&=`, and `??=`) in the type inference.

2
javascript/old-change-notes/2021-01-21-unneeded-defensive-code.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Unneeded defensive code" (`js/unneeded-defensive-code`) no longer flags uses of function parameters.

4
javascript/old-change-notes/2021-02-08-immutable.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The dataflow libraries now model dataflow in the Immutable.js library.
Affected packages are
[Immutable.js](https://npmjs.com/package/immutable)

8
javascript/old-change-notes/2021-02-08-xml-parser-taint.md Normal file
View File

@@ -0,0 +1,8 @@
lgtm,codescanning
* The security queries now track taint through XML parsers.
Affected packages are
[xml2js](https://www.npmjs.com/package/xml2js),
[sax](https://www.npmjs.com/package/sax),
[xml-js](https://www.npmjs.com/package/xml-js),
[htmlparser2](https://www.npmjs.com/package/htmlparser2), and
[node-expat](https://www.npmjs.com/package/node-expat)

6
javascript/old-change-notes/2021-02-08-xss-through-dom-forms.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* The `js/xss-through-dom` query now recognizes form inputs as sources.
Affected packages are
[formik](https://www.npmjs.com/package/formik) and
[react-final-form](https://www.npmjs.com/package/react-final-form) and
[react-hook-form](https://www.npmjs.com/package/react-hook-form)

7
javascript/old-change-notes/2021-02-09-form-parsers.md Normal file
View File

@@ -0,0 +1,7 @@
lgtm,codescanning
* Server side form parsing libraries are now recognized as source of remote user input.
Affected packages are
[multer](https://www.npmjs.com/package/multer),
[busboy](https://www.npmjs.com/package/busboy),
[formidable](https://www.npmjs.com/package/formidable), and
[multiparty](https://www.npmjs.com/package/formidable).

9
javascript/old-change-notes/2021-02-10-markdown.md Normal file
View File

@@ -0,0 +1,9 @@
lgtm,codescanning
* The security queries now track taint through markdown parsers.
Affected packages are
[marked](https://npmjs.com/package/marked),
[markdown-table](https://npmjs.com/package/markdown-table),
[showdown](https://npmjs.com/package/showdown),
[snarkdown](https://npmjs.com/package/snarkdown),
[unified](https://npmjs.com/package/unified), and
[remark](https://npmjs.com/package/remark)

8
javascript/old-change-notes/2021-02-11-apollo-client.md Normal file
View File

@@ -0,0 +1,8 @@
lgtm,codescanning
* URIs used in the Apollo-link libraries are now recognized as sinks for `js/request-forgery`.
Affected packages are
[apollo-link-http](https://www.npmjs.com/package/apollo-link-http),
[apollo-client](https://www.npmjs.com/package/apollo-client),
[apollo-boost](https://www.npmjs.com/package/apollo-boost),
[apollo-client-preset](https://www.npmjs.com/package/apollo-client-preset), and
[apollo-link-ws](https://www.npmjs.com/package/apollo-link-ws)

3
javascript/old-change-notes/2021-02-16-vue-router.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for Vue has improved. Taint sources from [vue-router](https://npmjs.com/package/vue-router)
route parameters are now recognized.

3
javascript/old-change-notes/2021-02-18-next-js.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for [Next.js](https://www.npmjs.com/package/next) has been added.
Taint sources, sinks, and steps are now recognized.

2
javascript/old-change-notes/2021-02-18-typescript-4.2.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* TypeScript 4.2 is now supported.

2
javascript/old-change-notes/2021-02-25-event-handler-receiver-is-dom-element.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Modelling of DOM event handlers has been improved, enabling the `js/xss` query to flag additional alerts.

4
javascript/old-change-notes/2021-02-25-http-proxy.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Sources of user input and sinks for `js/request-forgery` in the http-proxy are now recognized.
Affected packages are
[http-proxy](https://www.npmjs.com/package/http-proxy)

4
javascript/old-change-notes/2021-02-26-form-data.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* URIs used in the form-data library are now recognized as sinks for `js/request-forgery`.
Affected packages are
[form-data](https://www.npmjs.com/package/form-data)

8
javascript/old-change-notes/2021-03-01-ajv.md Normal file
View File

@@ -0,0 +1,8 @@
lgtm,codescanning
* The security queries now recognize the effect of JSON schema validation, and highlights
cases where this validation is susceptible to denial-of-service attacks.
Affects the package [ajv](https://npmjs.com/package/ajv).
* A new query, `js/resource-exhaustion-from-deep-object-traversal`, has been added to the query suite,
highlighting denial-of-service attacks exploiting operations that traverse deeply user-controlled objects.
* The `js/xss-through-exception` query now recognizes JSON schema validation errors as a source, as they
may contain part of the input data.

2
javascript/old-change-notes/2021-03-09-template-object-injection.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/template-object-injection` query has been added. It highlights places where an attacker can pass special parameters to a template engine.

6
javascript/old-change-notes/2021-03-10-d3.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* Support for `d3` has improved. The XSS queries now recognize HTML injection sinks
from the `d3` API.
Affected packages are
[d3](https://npmjs.com/package/d3),
[d3-selection](https://npmjs.com/package/d3-selection).

6
javascript/old-change-notes/2021-03-15-client-side-remote-flow-sources.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* The security queries now distinguish more clearly between different parts of `window.location`.
When the taint source of an alert is based on `window.location`, the source will usually
occur closer to where user-controlled data is obtained, such as at `location.hash`.
* `js/request-forgery` no longer considers client-side path parameters to be a source due to
the restricted character set usable in a path, resulting in fewer false-positive results.

5
javascript/old-change-notes/2021-03-17-koa-route.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* Route handlers registered using koa routing libraries are recognized as a source of remote user input.
Affected packages are
[koa-route](https://www.npmjs.com/package/koa-route), and
[koa-router](https://www.npmjs.com/package/koa-router)

3
javascript/old-change-notes/2021-03-17-precise-regex-replace.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The analysis of regular expression-based sanitization patterns has improved,
leading to more true-positive results, in particular for the XSS queries.

4
javascript/old-change-notes/2021-03-17-puppeteer.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* URIs used in the puppeteer library are now recognized as sinks for `js/request-forgery`.
Affected packages are
[puppeteer](https://www.npmjs.com/package/puppeteer)

4
javascript/old-change-notes/2021-03-19-async-execute.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The command injection security queries now recognize additional sinks.
Affected packages are
[async-execute](https://npmjs.com/package/async-execute)

3
javascript/old-change-notes/2021-03-23-accessor-calls.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Calls to property accessors are now analyzed on par with regular function calls,
leading to more results from queries that rely on data flow.

2
javascript/old-change-notes/2021-03-25-remove-legacy-code-duplication-library.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The legacy code duplication library has been removed.

2
javascript/old-change-notes/2021-03-25-remove-legacy-filter-queries.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Legacy filter queries have been removed.

6
javascript/old-change-notes/2021-03-29-misc-steps.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* The `lodash-es` package is now recognized as a variant of `lodash`.
* Taint is now propagated through the `babel.transform` function.
* Improved data flow through React applications using `redux-form` or `react-router`.
* Base64 decoding using the `react-native-base64` package is now recognized.
* An expression of form `o[o.length] = y` is now recognized as appending to an array.

2
javascript/old-change-notes/2021-03-29-pg-promise.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* SQL injection sinks from the `pg-promise` library are now recognized.

3
javascript/old-change-notes/2021-03-30-sql-models.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The SQL library models for `mysql`, `mysql2`, `mssql`, `pg`, `sqlite3`, `sequelize`, and `@google-cloud/spanner` have improved,
leading to more SQL injection sinks.

5
javascript/old-change-notes/2021-04-01-tsconfig-file-inclusion-handling.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* Fixed a bug which caused some imports to be resolved incorrectly
for projects containing multiple `tsconfig.json` files.
* Fixed a bug which could cause some files in the `node_modules` folder
to be extracted even though they should be excluded.

3
javascript/old-change-notes/2021-04-08-redux.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for Redux has improved. The security queries can now track taint through reducer functions and state managed by Redux.
Affected packages are `redux`, `react-redux`, `@reduxjs/toolkit`, `redux-actions`, `redux-persist`, `reduce-reducers`, `redux-immutable`, and `immer`.

2
javascript/old-change-notes/2021-04-12-disabling-certificate-validation.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Disabling certificate validation" (`js/disabling-certificate-validation`) has been improved to recognize many more request libraries.

3
javascript/old-change-notes/2021-04-15-fs-promises.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for `fs.promises` has been added, leading to more results for security queries
related to file system access.

4
javascript/old-change-notes/2021-04-15-markdownit.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries now track taint through markdown-it.
Affected packages are
[markdown-it](https://npmjs.com/package/markdown-it)

3
javascript/old-change-notes/2021-04-15-nestjs.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for Nest.js has been added. The security queries now recognize sources and sinks
specific to the Nest.js framework.

3
javascript/old-change-notes/2021-04-15-typescript-template-literal-type-crash.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Fixed a bug that could cause extraction to fail when extracting a TypeScript
code base containing a template literal type without substitutions.

3
javascript/old-change-notes/2021-04-21-rate-limiting-fixes.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Tracking of HTTP route handlers has improved, which may lead to additional
security results, and fewer false-positive results from the `js/missing-rate-limiting` query.

3
javascript/old-change-notes/2021-04-26-unsafe-html-construction.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* A new query, `js/html-constructed-from-input`, has been added to the query suite,
highlighting libraries that may leave clients vulnerable to cross-site-scripting attacks.

4
javascript/old-change-notes/2021-04-27-anser.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries now track taint through the anser library.
Affected packages are
[anser](https://www.npmjs.com/package/anser)

3
javascript/old-change-notes/2021-05-10-sqlite3-chaining.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
additional results from the `js/sql-injection` query.

4
javascript/old-change-notes/2021-05-18-clone.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The dataflow libraries now model dataflow in the `clone` library.
Affected packages are
[clone](https://npmjs.com/package/clone)

2
javascript/old-change-notes/2021-05-31-typescript-4.3.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* TypeScript 4.3 is now supported.

4
javascript/old-change-notes/2021-06-02-debug.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Logging calls using the [debug](https://npmjs.com/package/immutable) library are now recognized.
Affected packages are
[debug](https://npmjs.com/package/debug)

4
javascript/old-change-notes/2021-06-02-prettier.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The dataflow libraries now model dataflow in the prettier library.
Affected packages are
[prettier](https://npmjs.com/package/prettier)

4
javascript/old-change-notes/2021-06-02-webpack-merge.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries recognize the merge call from [webpack-merge](https://npmjs.com/package/webpack-merge).
Affected packages are
[webpack-merge](https://npmjs.com/package/webpack-merge)

4
javascript/old-change-notes/2021-06-03-history.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Taint sources and sinks from the [history](https://npmjs.com/package/history) library are now recognized.
Affected packages are
[history](https://www.npmjs.com/package/history)

4
javascript/old-change-notes/2021-06-04-resolve.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Paths used with the [resolve](https://npmjs.com/package/resolve) command are seen as sinks for the `js/path-injection` query.
Affected packages are
[resolve](https://npmjs.com/package/resolve)

4
javascript/old-change-notes/2021-06-04-whatwg-fetch.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* URIs used in the [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch) library are now recognized as sinks for `js/request-forgery`.
Affected packages are
[whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch)

4
javascript/old-change-notes/2021-06-06-serialize-javascript.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The dataflow libraries now model dataflow in the [`serialize-javascript`](https://npmjs.com/package/serialize-javascript) library.
Affected packages are
[serialize-javascript](https://npmjs.com/package/serialize-javascript)

4
javascript/old-change-notes/2021-06-06-serve-handler.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Private folders exposed using the [`serve-handler`](https://npmjs.com/package/serve-handler) library is not recognized by `js/exposure-of-private-files`.
Affected packages are
[serve-handler](https://npmjs.com/package/serve-handler)

4
javascript/old-change-notes/2021-06-07-joi.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries now recognize the JSON schema validation from the [joi](https://npmjs.org/package/joi) library.
Affected packages are
[joi](https://npmjs.org/package/joi)

4
javascript/old-change-notes/2021-06-07-serverless.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Events from the [`serverless`](https://npmjs.com/package/serverless) package are recognized a source of remote user input.
Affected packages are
[serverless](https://npmjs.com/package/serverless)

9
javascript/old-change-notes/2021-06-09-graphql.md Normal file
View File

@@ -0,0 +1,9 @@
lgtm,codescanning
* The `js/sql-injection` query now recognizes graphql injections.
Affected packages are
[@octokit/core](https://npmjs.com/package/@octokit/core),
[@octokit/rest](https://npmjs.com/package/@octokit/rest),
[@octokit/graphql](https://npmjs.com/package/@octokit/graphql),
[@octokit/request](https://npmjs.com/package/@octokit/request),
[@actions/github](https://npmjs.com/package/@actions/github), and
[graphql](https://npmjs.com/package/graphql)

2
javascript/old-change-notes/2021-06-11-knex.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* SQL injection sinks from the `knex` library are now recognized.

3
javascript/old-change-notes/2021-06-14-script-with-tsx-lang.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Script tags with the `lang="tsx"` attribute are now recognized as containing TypeScript code
and are analyzed accordingly.

16
javascript/old-change-notes/2021-06-18-promises.md Normal file
View File

@@ -0,0 +1,16 @@
lgtm,codescanning
* The security queries now track flow through various `Promise` polyfills.
Affected packages are
[kew](https://npmjs.com/package/kew),
[promise](https://npmjs.com/package/promise),
[promise-polyfill](https://npmjs.com/package/promise-polyfill),
[rsvp](https://npmjs.com/package/rsvp),
[es6-promise](https://npmjs.com/package/es6-promise),
[native-promise-only](https://npmjs.com/package/native-promise-only),
[when](https://npmjs.com/package/when),
[pinkie-promise](https://npmjs.com/package/pinkie-promise),
[pinkie](https://npmjs.com/package/pinkie),
[synchronous-promise](https://npmjs.com/package/synchronous-promise),
[any-promise](https://npmjs.com/package/any-promise),
[lie](https://npmjs.com/package/lie),
[promise.allsettled](https://npmjs.com/package/promise.allsettled)

9
javascript/old-change-notes/2021-06-21-dates.md Normal file
View File

@@ -0,0 +1,9 @@
lgtm,codescanning
* Improved support for date parsing libraries, resulting in more results in security queries.
Affected packages are
[dayjs](https://npmjs.com/package/dayjs),
[luxon](https://npmjs.com/package/luxon),
[@date-io/moment](https://npmjs.com/package/@date-io/moment),
[@date-io/luxon](https://npmjs.com/package/@date-io/luxon),
[@date-io/dayjs](https://npmjs.com/package/@date-io/dayjs)

6
javascript/old-change-notes/2021-06-21-promisify.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* Support for libraries modeling `promisify` and `promisifyAll` functions have been improved.
Affected packages are
[pify](https://www.npmjs.com/package/pify),
[util.promisify](https://www.npmjs.com/package/util.promisify),
[thenify](https://www.npmjs.com/package/thenify)

3
javascript/old-change-notes/2021-06-21-sharpen-match-calls.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The regular expression queries now recognize calls to the String `match` method more precisely,
resulting in fewer false-positive results when a string is passed to a method named `match`.

5
javascript/old-change-notes/2021-06-22-chokidar.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* Support for `chokidar` has improved. The `js/tainted-path` query now recognizes calls to `chokidar.watch`,
and the security queries recognize the filenames returned by the library.
Affected packages are
[chokidar](https://npmjs.com/package/chokidar)

13
javascript/old-change-notes/2021-06-22-colors.md Normal file
View File

@@ -0,0 +1,13 @@
lgtm,codescanning
* The dataflow libraries now model dataflow through console styling libraries.
Affected packages are
[ansi-colors](https://npmjs.com/package/ansi-colors),
[colors](https://npmjs.com/package/colors),
[wrap-ansi](https://npmjs.com/package/wrap-ansi),
[colorette](https://npmjs.com/package/colorette),
[cli-highlight](https://npmjs.com/package/cli-highlight),
[cli-color](https://npmjs.com/package/cli-color),
[slice-ansi](https://npmjs.com/package/slice-ansi),
[kleur](https://npmjs.com/package/kleur),
[chalk](https://npmjs.com/package/chalk),
[strip-ansi](https://npmjs.com/package/strip-ansi)

10
javascript/old-change-notes/2021-06-22-templates.md Normal file
View File

@@ -0,0 +1,10 @@
lgtm,codescanning
* More template engines are recognized as sinks for the `js/code-injection` query.
Affected packages are
[mustache](https://npmjs.com/package/mustache),
[handlebars](https://npmjs.com/package/handlebars),
[dot](https://npmjs.com/package/dot),
[hogan.js](https://npmjs.com/package/hogan.js)
[eta](https://npmjs.com/package/eta),
[squirrelly](https://npmjs.com/package/squirrelly),
[whiskers](https://npmjs.com/package/whiskers)

14
javascript/old-change-notes/2021-06-24-json.md Normal file
View File

@@ -0,0 +1,14 @@
lgtm,codescanning
* The dataflow libraries now model dataflow through more JSON utility libraries.
Affected packages are
[json2csv](https://npmjs.com/package/json2csv),
[json5](https://npmjs.com/package/json5),
[prettyjson](https://npmjs.com/package/prettyjson),
[flatted](https://npmjs.com/package/flatted),
[teleport-javascript](https://npmjs.com/package/teleport-javascript),
[replicator](https://npmjs.com/package/replicator),
[safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
[fclone](https://npmjs.com/package/fclone),
[json-cycle](https://npmjs.com/package/json-cycle),
[strip-json-comments](https://npmjs.com/package/strip-json-comments),
[fast-json-stringify](https://npmjs.com/package/fast-json-stringify)

4
javascript/old-change-notes/2021-06-30-mootools.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* HTML properties in the MooTools library are now recognized as sinks for `js/xss`.
Affected packages are
[Mootools](https://mootools.net/)

3
javascript/old-change-notes/2021-06-30-recompose.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Improved analysis of React components that has passed through a higher-order component
from the `recompose` library.

3
javascript/old-change-notes/2021-06-30-vuex.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Support for `vuex` has been added. The security queries can now
track taint through the `vuex` state.

26
javascript/old-change-notes/2021-07-12-case.md Normal file
View File

@@ -0,0 +1,26 @@
lgtm,codescanning
* The dataflow libraries now model dataflow through case changing libraries.
Affected packages are
[change-case](https://www.npmjs.com/package/change-case),
[camel-case](https://www.npmjs.com/package/camel-case),
[pascal-case](https://www.npmjs.com/package/pascal-case),
[snake-case](https://www.npmjs.com/package/snake-case),
[kebab-case](https://www.npmjs.com/package/kebab-case),
[param-case](https://www.npmjs.com/package/param-case),
[path-case](https://www.npmjs.com/package/path-case),
[sentence-case](https://www.npmjs.com/package/sentence-case),
[title-case](https://www.npmjs.com/package/title-case),
[upper-case](https://www.npmjs.com/package/upper-case),
[lower-case](https://www.npmjs.com/package/lower-case),
[no-case](https://www.npmjs.com/package/no-case),
[constant-case](https://www.npmjs.com/package/constant-case),
[dot-case](https://www.npmjs.com/package/dot-case),
[upper-case-first](https://www.npmjs.com/package/upper-case-first),
[lower-case-first](https://www.npmjs.com/package/lower-case-first),
[header-case](https://www.npmjs.com/package/header-case),
[capital-case](https://www.npmjs.com/package/capital-case),
[swap-case](https://www.npmjs.com/package/swap-case),
[sponge-case](https://www.npmjs.com/package/sponge-case),
[titleize](https://www.npmjs.com/package/titleize),
[camelcase](https://www.npmjs.com/package/camelcase),
[decamelize](https://www.npmjs.com/package/decamelize)

4
javascript/old-change-notes/2021-07-12-logs.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `js/log-injection` query now recognizes more logging frameworks.
Affected packages are
[pino](https://npmjs.com/package/pino)

4
javascript/old-change-notes/2021-07-12-more-precise-capture-steps.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Fixed a bug that could occur when data was tracked through a function whose parameter
flows through a captured variable before reaching the return.
This can lead to fewer false-positive results and more true-positive results.

4
javascript/old-change-notes/2021-07-12-read-pkg.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `cwd` option from the `read-pkg` library is recognized as a sink for `js/tainted-path`.
Affected packages are
[read-pkg](https://npmjs.com/package/read-pkg)

6
javascript/old-change-notes/2021-07-12-slash.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* The `js/tainted-path` and `js/zipslip` queries now recognize path that have been
normalized using the `slash` library.
Affected packages are
[slash](https://npmjs.com/package/slash)

4
javascript/old-change-notes/2021-07-14-mkdirp.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `js/tainted-path` now recognizes the `mkdirp` library as a sink.
Affected packages are
[mkdirp](https://www.npmjs.com/package/mkdirp)

6
javascript/old-change-notes/2021-07-14-querystring.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* The security queries now track taint through more query string parsers.
Affected packages are
[qs](https://npmjs.com/package/qs),
[normailize-url](https://npmjs.com/package/normalize-url),
[parseqs](https://npmjs.com/package/parseqs)

4
javascript/old-change-notes/2021-07-14-react-tooltip.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The XSS queries now recognize when the `react-tooltip` library is being used with HTML.
Affected packages are
[react-tooltip](https://npmjs.com/package/react-tooltip)

4
javascript/old-change-notes/2021-07-15-ansi-to-html.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries now track taint through the `ansi-to-html` library.
Affected packages are
[ansi-to-html](https://www.npmjs.com/package/ansi-to-html)

15
javascript/old-change-notes/2021-07-15-array-libs.md Normal file
View File

@@ -0,0 +1,15 @@
lgtm,codescanning
* The dataflow libraries now model dataflow through more array libraries.
Affected packages are
[array-from](https://npmjs.com/package/array-from),
[array.prototype.find](https://npmjs.com/package/array.prototype.find),
[array-find](https://npmjs.com/package/array-find),
[arrify](https://npmjs.com/package/arrify),
[array-ify](https://npmjs.com/package/array-ify),
[array-union](https://npmjs.com/package/array-union),
[array-uniq](https://npmjs.com/package/array-uniq),
[uniq](https://npmjs.com/package/uniq),
[array-flatten](https://npmjs.com/package/array-flatten),
[arr-flatten](https://npmjs.com/package/arr-flatten),
[flatten](https://npmjs.com/package/flatten),
[array.prototype.flat](https://npmjs.com/package/array.prototype.flat)

5
javascript/old-change-notes/2021-07-15-sort-keys.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* The dataflow libraries now model dataflow in the `sort-keys` and `camelcase-keys` library.
Affected packages are
[sort-keys](https://npmjs.com/package/sort-keys),
[camelcase-keys](https://npmjs.com/package/camelcase-keys)

3
javascript/old-change-notes/2021-07-16-dom-element-methods.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Some methods from the DOM API are now modeled more precisely, potentially
leading to more `js/xss` results.

6
javascript/old-change-notes/2021-08-02-handlebars-extraction.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* Added support for more templating languages.
- EJS, Mustache, Handlebars, Nunjucks, Hogan, and Swig are now supported.
- Template tags from the above dialects are now recognized as sinks
when not escaped safely for the context, leading to additional results for `js/xss` and `js/code-injection`.
- Files with the extension `.ejs`, `.hbs`, or `.njk` are now extracted and analyzed.

2
javascript/old-change-notes/2021-08-03-hardcoded-auth-headers.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Hard-coded credentials" (`js/hardcoded-credentials`) no longer flags deliberately weak authentication headers.

4
javascript/old-change-notes/2021-08-05-tainted-url-suffix.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `js/xss` query now reports fewer false positives in cases where
`location.hash` flows to a jQuery `$()` call in a way that preserves
the `#` prefix.

6
javascript/old-change-notes/2021-08-16-query-suffix-convention2.md Normal file
View File

@@ -0,0 +1,6 @@
lgtm,codescanning
* Some library files have been deprecated, which may affect custom queries.
Queries importing a data-flow configuration from `semmle.javascript.security.dataflow` should
ensure that the imported file ends with `Query`, and only import its top-level module.
For example, a query that imported `DomBasedXss::DomBasedXss` should from now on import `DomBasedXssQuery`
instead.

2
javascript/old-change-notes/2021-08-17-incomplete-multi-char-sanitization.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The `js/incomplete-multi-character-sanitization` query now flags more regular expressions that can result in bad sanitization.

2
javascript/old-change-notes/2021-08-17-vue-component-renaming.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The class `Vue::Instance` has been renamed to `Vue::Component`.

Some files were not shown because too many files have changed in this diff Show More