mirror of
https://github.com/github/codeql.git
synced 2026-05-16 12:17:07 +02:00
Compare commits
1 Commits
codeql-cli
...
remove-jav
| Author | SHA1 | Date | |
|---|---|---|---|
|
ee314a4dad |
@@ -1,7 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through the format string of a date-formatting operation.
|
||||
Affected packages are
|
||||
[moment](https://npmjs.com/package/moment),
|
||||
[moment-timezone](https://npmjs.com/package/moment-timezone),
|
||||
[date-fns](https://npmjs.com/package/date-fns), and
|
||||
[dateformat](https://npmjs.com/package/dateformat).
|
||||
@@ -1,5 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through JWT decoding, and warns about hard-coded JWT signing keys.
|
||||
Affected packages are
|
||||
[jsonwebtoken](https://www.npmjs.com/package/jsonwebtoken) and
|
||||
[jwt-decode](https://www.npmjs.com/package/jwt-decode)
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Hot-reloading React component are now recognized. Affects the package `react-hot-loader`.
|
||||
@@ -1,11 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* We've improved the detection of prototype pollution, and the queries involved have been reorganized:
|
||||
* A new query "Prototype-polluting assignment" (`js/prototype-polluting-assignment`) has been added. This query
|
||||
highlights direct modifications of an object obtained via a user-controlled property name, which may accidentally alter `Object.prototype`.
|
||||
* The query previously named "Prototype pollution" (`js/prototype-pollution`) has been renamed to "Prototype-polluting merge call".
|
||||
This highlights indirect modification of `Object.prototype` via an unsafe `merge` call taking a user-controlled object as argument.
|
||||
* The query previously named "Prototype pollution in utility function" (`js/prototype-pollution-utility`) has been renamed to "Prototype-polluting function".
|
||||
This query highlights the implementation of an unsafe `merge` function, to ensure a robust API is exposed downstream.
|
||||
* The above queries have been moved to the Security/CWE-915 folder, and assigned the following tags: CWE-078, CWE-079, CWE-094, CWE-400, and CWE-915.
|
||||
* The query "Type confusion through parameter tampering" (`js/type-confusion-through-parameter-tampering`) now highlights
|
||||
ineffective prototype pollution checks that can be bypassed by type confusion.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/log-injection` query has been moved into non-experimental, and the precision of the query has been changed to medium.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Database query built from user-controlled sources" (`js/sql-injection`) has been improved to recognize more Mongoose APIs that may interpret untrusted user input as a query.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* TypeScript 4.1 is now supported.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Custom remote flow sources can now be specified by including a file named `codeql-javascript-remote-flow-sources.json` in your code base. See documentation for more details.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/build-artifact-leak` query no longer reports when only a safe subset of the properties on `process.env` are included in a build-artifact.
|
||||
@@ -1,9 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/indirect-command-line-injection` query now supports more command-line parsing libraries.
|
||||
Affected packages are
|
||||
[arg](https://www.npmjs.com/package/arg),
|
||||
[argparse](https://www.npmjs.com/package/argparse),
|
||||
[command-line-args](https://www.npmjs.com/package/command-line-args),
|
||||
[meow](https://www.npmjs.com/package/meow),
|
||||
[dashdash](https://www.npmjs.com/package/dashdash),
|
||||
[commander](https://www.npmjs.com/package/commander).
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The command injection security queries now recognize additional sinks.
|
||||
Affected packages are
|
||||
[execa](https://npmjs.com/package/execa)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/polynomial-redos` query has been improved by replacing the algorithm that detects expensive regular expressions.
|
||||
This change reduces the number of false positives and detects new true positives.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Incomplete multi-character sanitization" (`js/incomplete-multi-character-sanitization`) has been improved to produce additional true positives and fewer false positives.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/polynomial-redos` query now flags uses of expensive regular expressions where the source is library input.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for Angular has improved. Angular templates are now parsed and used to
|
||||
establish data flow between components.
|
||||
* Support for RxJS has improved. Taint is now tracked through RxJS Observable objects.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/server-crash` query has been added. It highlights servers may be terminated by a malicious user.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Added support for modern compound assignments (`||=`, `&&=`, and `??=`) in the type inference.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Unneeded defensive code" (`js/unneeded-defensive-code`) no longer flags uses of function parameters.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow in the Immutable.js library.
|
||||
Affected packages are
|
||||
[Immutable.js](https://npmjs.com/package/immutable)
|
||||
@@ -1,8 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through XML parsers.
|
||||
Affected packages are
|
||||
[xml2js](https://www.npmjs.com/package/xml2js),
|
||||
[sax](https://www.npmjs.com/package/sax),
|
||||
[xml-js](https://www.npmjs.com/package/xml-js),
|
||||
[htmlparser2](https://www.npmjs.com/package/htmlparser2), and
|
||||
[node-expat](https://www.npmjs.com/package/node-expat)
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/xss-through-dom` query now recognizes form inputs as sources.
|
||||
Affected packages are
|
||||
[formik](https://www.npmjs.com/package/formik) and
|
||||
[react-final-form](https://www.npmjs.com/package/react-final-form) and
|
||||
[react-hook-form](https://www.npmjs.com/package/react-hook-form)
|
||||
@@ -1,7 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Server side form parsing libraries are now recognized as source of remote user input.
|
||||
Affected packages are
|
||||
[multer](https://www.npmjs.com/package/multer),
|
||||
[busboy](https://www.npmjs.com/package/busboy),
|
||||
[formidable](https://www.npmjs.com/package/formidable), and
|
||||
[multiparty](https://www.npmjs.com/package/formidable).
|
||||
@@ -1,9 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through markdown parsers.
|
||||
Affected packages are
|
||||
[marked](https://npmjs.com/package/marked),
|
||||
[markdown-table](https://npmjs.com/package/markdown-table),
|
||||
[showdown](https://npmjs.com/package/showdown),
|
||||
[snarkdown](https://npmjs.com/package/snarkdown),
|
||||
[unified](https://npmjs.com/package/unified), and
|
||||
[remark](https://npmjs.com/package/remark)
|
||||
@@ -1,8 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* URIs used in the Apollo-link libraries are now recognized as sinks for `js/request-forgery`.
|
||||
Affected packages are
|
||||
[apollo-link-http](https://www.npmjs.com/package/apollo-link-http),
|
||||
[apollo-client](https://www.npmjs.com/package/apollo-client),
|
||||
[apollo-boost](https://www.npmjs.com/package/apollo-boost),
|
||||
[apollo-client-preset](https://www.npmjs.com/package/apollo-client-preset), and
|
||||
[apollo-link-ws](https://www.npmjs.com/package/apollo-link-ws)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for Vue has improved. Taint sources from [vue-router](https://npmjs.com/package/vue-router)
|
||||
route parameters are now recognized.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for [Next.js](https://www.npmjs.com/package/next) has been added.
|
||||
Taint sources, sinks, and steps are now recognized.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* TypeScript 4.2 is now supported.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Modelling of DOM event handlers has been improved, enabling the `js/xss` query to flag additional alerts.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Sources of user input and sinks for `js/request-forgery` in the http-proxy are now recognized.
|
||||
Affected packages are
|
||||
[http-proxy](https://www.npmjs.com/package/http-proxy)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* URIs used in the form-data library are now recognized as sinks for `js/request-forgery`.
|
||||
Affected packages are
|
||||
[form-data](https://www.npmjs.com/package/form-data)
|
||||
@@ -1,8 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now recognize the effect of JSON schema validation, and highlights
|
||||
cases where this validation is susceptible to denial-of-service attacks.
|
||||
Affects the package [ajv](https://npmjs.com/package/ajv).
|
||||
* A new query, `js/resource-exhaustion-from-deep-object-traversal`, has been added to the query suite,
|
||||
highlighting denial-of-service attacks exploiting operations that traverse deeply user-controlled objects.
|
||||
* The `js/xss-through-exception` query now recognizes JSON schema validation errors as a source, as they
|
||||
may contain part of the input data.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/template-object-injection` query has been added. It highlights places where an attacker can pass special parameters to a template engine.
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for `d3` has improved. The XSS queries now recognize HTML injection sinks
|
||||
from the `d3` API.
|
||||
Affected packages are
|
||||
[d3](https://npmjs.com/package/d3),
|
||||
[d3-selection](https://npmjs.com/package/d3-selection).
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now distinguish more clearly between different parts of `window.location`.
|
||||
When the taint source of an alert is based on `window.location`, the source will usually
|
||||
occur closer to where user-controlled data is obtained, such as at `location.hash`.
|
||||
* `js/request-forgery` no longer considers client-side path parameters to be a source due to
|
||||
the restricted character set usable in a path, resulting in fewer false-positive results.
|
||||
@@ -1,5 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Route handlers registered using koa routing libraries are recognized as a source of remote user input.
|
||||
Affected packages are
|
||||
[koa-route](https://www.npmjs.com/package/koa-route), and
|
||||
[koa-router](https://www.npmjs.com/package/koa-router)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The analysis of regular expression-based sanitization patterns has improved,
|
||||
leading to more true-positive results, in particular for the XSS queries.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* URIs used in the puppeteer library are now recognized as sinks for `js/request-forgery`.
|
||||
Affected packages are
|
||||
[puppeteer](https://www.npmjs.com/package/puppeteer)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The command injection security queries now recognize additional sinks.
|
||||
Affected packages are
|
||||
[async-execute](https://npmjs.com/package/async-execute)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Calls to property accessors are now analyzed on par with regular function calls,
|
||||
leading to more results from queries that rely on data flow.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The legacy code duplication library has been removed.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Legacy filter queries have been removed.
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `lodash-es` package is now recognized as a variant of `lodash`.
|
||||
* Taint is now propagated through the `babel.transform` function.
|
||||
* Improved data flow through React applications using `redux-form` or `react-router`.
|
||||
* Base64 decoding using the `react-native-base64` package is now recognized.
|
||||
* An expression of form `o[o.length] = y` is now recognized as appending to an array.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* SQL injection sinks from the `pg-promise` library are now recognized.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The SQL library models for `mysql`, `mysql2`, `mssql`, `pg`, `sqlite3`, `sequelize`, and `@google-cloud/spanner` have improved,
|
||||
leading to more SQL injection sinks.
|
||||
@@ -1,5 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Fixed a bug which caused some imports to be resolved incorrectly
|
||||
for projects containing multiple `tsconfig.json` files.
|
||||
* Fixed a bug which could cause some files in the `node_modules` folder
|
||||
to be extracted even though they should be excluded.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for Redux has improved. The security queries can now track taint through reducer functions and state managed by Redux.
|
||||
Affected packages are `redux`, `react-redux`, `@reduxjs/toolkit`, `redux-actions`, `redux-persist`, `reduce-reducers`, `redux-immutable`, and `immer`.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Disabling certificate validation" (`js/disabling-certificate-validation`) has been improved to recognize many more request libraries.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for `fs.promises` has been added, leading to more results for security queries
|
||||
related to file system access.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through markdown-it.
|
||||
Affected packages are
|
||||
[markdown-it](https://npmjs.com/package/markdown-it)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for Nest.js has been added. The security queries now recognize sources and sinks
|
||||
specific to the Nest.js framework.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Fixed a bug that could cause extraction to fail when extracting a TypeScript
|
||||
code base containing a template literal type without substitutions.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Tracking of HTTP route handlers has improved, which may lead to additional
|
||||
security results, and fewer false-positive results from the `js/missing-rate-limiting` query.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* A new query, `js/html-constructed-from-input`, has been added to the query suite,
|
||||
highlighting libraries that may leave clients vulnerable to cross-site-scripting attacks.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through the anser library.
|
||||
Affected packages are
|
||||
[anser](https://www.npmjs.com/package/anser)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
|
||||
additional results from the `js/sql-injection` query.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow in the `clone` library.
|
||||
Affected packages are
|
||||
[clone](https://npmjs.com/package/clone)
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* TypeScript 4.3 is now supported.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Logging calls using the [debug](https://npmjs.com/package/immutable) library are now recognized.
|
||||
Affected packages are
|
||||
[debug](https://npmjs.com/package/debug)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow in the prettier library.
|
||||
Affected packages are
|
||||
[prettier](https://npmjs.com/package/prettier)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries recognize the merge call from [webpack-merge](https://npmjs.com/package/webpack-merge).
|
||||
Affected packages are
|
||||
[webpack-merge](https://npmjs.com/package/webpack-merge)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Taint sources and sinks from the [history](https://npmjs.com/package/history) library are now recognized.
|
||||
Affected packages are
|
||||
[history](https://www.npmjs.com/package/history)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Paths used with the [resolve](https://npmjs.com/package/resolve) command are seen as sinks for the `js/path-injection` query.
|
||||
Affected packages are
|
||||
[resolve](https://npmjs.com/package/resolve)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* URIs used in the [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch) library are now recognized as sinks for `js/request-forgery`.
|
||||
Affected packages are
|
||||
[whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow in the [`serialize-javascript`](https://npmjs.com/package/serialize-javascript) library.
|
||||
Affected packages are
|
||||
[serialize-javascript](https://npmjs.com/package/serialize-javascript)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Private folders exposed using the [`serve-handler`](https://npmjs.com/package/serve-handler) library is not recognized by `js/exposure-of-private-files`.
|
||||
Affected packages are
|
||||
[serve-handler](https://npmjs.com/package/serve-handler)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now recognize the JSON schema validation from the [joi](https://npmjs.org/package/joi) library.
|
||||
Affected packages are
|
||||
[joi](https://npmjs.org/package/joi)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Events from the [`serverless`](https://npmjs.com/package/serverless) package are recognized a source of remote user input.
|
||||
Affected packages are
|
||||
[serverless](https://npmjs.com/package/serverless)
|
||||
@@ -1,9 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/sql-injection` query now recognizes graphql injections.
|
||||
Affected packages are
|
||||
[@octokit/core](https://npmjs.com/package/@octokit/core),
|
||||
[@octokit/rest](https://npmjs.com/package/@octokit/rest),
|
||||
[@octokit/graphql](https://npmjs.com/package/@octokit/graphql),
|
||||
[@octokit/request](https://npmjs.com/package/@octokit/request),
|
||||
[@actions/github](https://npmjs.com/package/@actions/github), and
|
||||
[graphql](https://npmjs.com/package/graphql)
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* SQL injection sinks from the `knex` library are now recognized.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Script tags with the `lang="tsx"` attribute are now recognized as containing TypeScript code
|
||||
and are analyzed accordingly.
|
||||
@@ -1,16 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track flow through various `Promise` polyfills.
|
||||
Affected packages are
|
||||
[kew](https://npmjs.com/package/kew),
|
||||
[promise](https://npmjs.com/package/promise),
|
||||
[promise-polyfill](https://npmjs.com/package/promise-polyfill),
|
||||
[rsvp](https://npmjs.com/package/rsvp),
|
||||
[es6-promise](https://npmjs.com/package/es6-promise),
|
||||
[native-promise-only](https://npmjs.com/package/native-promise-only),
|
||||
[when](https://npmjs.com/package/when),
|
||||
[pinkie-promise](https://npmjs.com/package/pinkie-promise),
|
||||
[pinkie](https://npmjs.com/package/pinkie),
|
||||
[synchronous-promise](https://npmjs.com/package/synchronous-promise),
|
||||
[any-promise](https://npmjs.com/package/any-promise),
|
||||
[lie](https://npmjs.com/package/lie),
|
||||
[promise.allsettled](https://npmjs.com/package/promise.allsettled)
|
||||
@@ -1,9 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Improved support for date parsing libraries, resulting in more results in security queries.
|
||||
Affected packages are
|
||||
[dayjs](https://npmjs.com/package/dayjs),
|
||||
[luxon](https://npmjs.com/package/luxon),
|
||||
[@date-io/moment](https://npmjs.com/package/@date-io/moment),
|
||||
[@date-io/luxon](https://npmjs.com/package/@date-io/luxon),
|
||||
[@date-io/dayjs](https://npmjs.com/package/@date-io/dayjs)
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for libraries modeling `promisify` and `promisifyAll` functions have been improved.
|
||||
Affected packages are
|
||||
[pify](https://www.npmjs.com/package/pify),
|
||||
[util.promisify](https://www.npmjs.com/package/util.promisify),
|
||||
[thenify](https://www.npmjs.com/package/thenify)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The regular expression queries now recognize calls to the String `match` method more precisely,
|
||||
resulting in fewer false-positive results when a string is passed to a method named `match`.
|
||||
@@ -1,5 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for `chokidar` has improved. The `js/tainted-path` query now recognizes calls to `chokidar.watch`,
|
||||
and the security queries recognize the filenames returned by the library.
|
||||
Affected packages are
|
||||
[chokidar](https://npmjs.com/package/chokidar)
|
||||
@@ -1,13 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow through console styling libraries.
|
||||
Affected packages are
|
||||
[ansi-colors](https://npmjs.com/package/ansi-colors),
|
||||
[colors](https://npmjs.com/package/colors),
|
||||
[wrap-ansi](https://npmjs.com/package/wrap-ansi),
|
||||
[colorette](https://npmjs.com/package/colorette),
|
||||
[cli-highlight](https://npmjs.com/package/cli-highlight),
|
||||
[cli-color](https://npmjs.com/package/cli-color),
|
||||
[slice-ansi](https://npmjs.com/package/slice-ansi),
|
||||
[kleur](https://npmjs.com/package/kleur),
|
||||
[chalk](https://npmjs.com/package/chalk),
|
||||
[strip-ansi](https://npmjs.com/package/strip-ansi)
|
||||
@@ -1,10 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* More template engines are recognized as sinks for the `js/code-injection` query.
|
||||
Affected packages are
|
||||
[mustache](https://npmjs.com/package/mustache),
|
||||
[handlebars](https://npmjs.com/package/handlebars),
|
||||
[dot](https://npmjs.com/package/dot),
|
||||
[hogan.js](https://npmjs.com/package/hogan.js)
|
||||
[eta](https://npmjs.com/package/eta),
|
||||
[squirrelly](https://npmjs.com/package/squirrelly),
|
||||
[whiskers](https://npmjs.com/package/whiskers)
|
||||
@@ -1,14 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow through more JSON utility libraries.
|
||||
Affected packages are
|
||||
[json2csv](https://npmjs.com/package/json2csv),
|
||||
[json5](https://npmjs.com/package/json5),
|
||||
[prettyjson](https://npmjs.com/package/prettyjson),
|
||||
[flatted](https://npmjs.com/package/flatted),
|
||||
[teleport-javascript](https://npmjs.com/package/teleport-javascript),
|
||||
[replicator](https://npmjs.com/package/replicator),
|
||||
[safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
|
||||
[fclone](https://npmjs.com/package/fclone),
|
||||
[json-cycle](https://npmjs.com/package/json-cycle),
|
||||
[strip-json-comments](https://npmjs.com/package/strip-json-comments),
|
||||
[fast-json-stringify](https://npmjs.com/package/fast-json-stringify)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* HTML properties in the MooTools library are now recognized as sinks for `js/xss`.
|
||||
Affected packages are
|
||||
[Mootools](https://mootools.net/)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Improved analysis of React components that has passed through a higher-order component
|
||||
from the `recompose` library.
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Support for `vuex` has been added. The security queries can now
|
||||
track taint through the `vuex` state.
|
||||
@@ -1,26 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow through case changing libraries.
|
||||
Affected packages are
|
||||
[change-case](https://www.npmjs.com/package/change-case),
|
||||
[camel-case](https://www.npmjs.com/package/camel-case),
|
||||
[pascal-case](https://www.npmjs.com/package/pascal-case),
|
||||
[snake-case](https://www.npmjs.com/package/snake-case),
|
||||
[kebab-case](https://www.npmjs.com/package/kebab-case),
|
||||
[param-case](https://www.npmjs.com/package/param-case),
|
||||
[path-case](https://www.npmjs.com/package/path-case),
|
||||
[sentence-case](https://www.npmjs.com/package/sentence-case),
|
||||
[title-case](https://www.npmjs.com/package/title-case),
|
||||
[upper-case](https://www.npmjs.com/package/upper-case),
|
||||
[lower-case](https://www.npmjs.com/package/lower-case),
|
||||
[no-case](https://www.npmjs.com/package/no-case),
|
||||
[constant-case](https://www.npmjs.com/package/constant-case),
|
||||
[dot-case](https://www.npmjs.com/package/dot-case),
|
||||
[upper-case-first](https://www.npmjs.com/package/upper-case-first),
|
||||
[lower-case-first](https://www.npmjs.com/package/lower-case-first),
|
||||
[header-case](https://www.npmjs.com/package/header-case),
|
||||
[capital-case](https://www.npmjs.com/package/capital-case),
|
||||
[swap-case](https://www.npmjs.com/package/swap-case),
|
||||
[sponge-case](https://www.npmjs.com/package/sponge-case),
|
||||
[titleize](https://www.npmjs.com/package/titleize),
|
||||
[camelcase](https://www.npmjs.com/package/camelcase),
|
||||
[decamelize](https://www.npmjs.com/package/decamelize)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/log-injection` query now recognizes more logging frameworks.
|
||||
Affected packages are
|
||||
[pino](https://npmjs.com/package/pino)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Fixed a bug that could occur when data was tracked through a function whose parameter
|
||||
flows through a captured variable before reaching the return.
|
||||
This can lead to fewer false-positive results and more true-positive results.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `cwd` option from the `read-pkg` library is recognized as a sink for `js/tainted-path`.
|
||||
Affected packages are
|
||||
[read-pkg](https://npmjs.com/package/read-pkg)
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/tainted-path` and `js/zipslip` queries now recognize path that have been
|
||||
normalized using the `slash` library.
|
||||
Affected packages are
|
||||
[slash](https://npmjs.com/package/slash)
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/tainted-path` now recognizes the `mkdirp` library as a sink.
|
||||
Affected packages are
|
||||
[mkdirp](https://www.npmjs.com/package/mkdirp)
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through more query string parsers.
|
||||
Affected packages are
|
||||
[qs](https://npmjs.com/package/qs),
|
||||
[normailize-url](https://npmjs.com/package/normalize-url),
|
||||
[parseqs](https://npmjs.com/package/parseqs)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The XSS queries now recognize when the `react-tooltip` library is being used with HTML.
|
||||
Affected packages are
|
||||
[react-tooltip](https://npmjs.com/package/react-tooltip)
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The security queries now track taint through the `ansi-to-html` library.
|
||||
Affected packages are
|
||||
[ansi-to-html](https://www.npmjs.com/package/ansi-to-html)
|
||||
@@ -1,15 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow through more array libraries.
|
||||
Affected packages are
|
||||
[array-from](https://npmjs.com/package/array-from),
|
||||
[array.prototype.find](https://npmjs.com/package/array.prototype.find),
|
||||
[array-find](https://npmjs.com/package/array-find),
|
||||
[arrify](https://npmjs.com/package/arrify),
|
||||
[array-ify](https://npmjs.com/package/array-ify),
|
||||
[array-union](https://npmjs.com/package/array-union),
|
||||
[array-uniq](https://npmjs.com/package/array-uniq),
|
||||
[uniq](https://npmjs.com/package/uniq),
|
||||
[array-flatten](https://npmjs.com/package/array-flatten),
|
||||
[arr-flatten](https://npmjs.com/package/arr-flatten),
|
||||
[flatten](https://npmjs.com/package/flatten),
|
||||
[array.prototype.flat](https://npmjs.com/package/array.prototype.flat)
|
||||
@@ -1,5 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The dataflow libraries now model dataflow in the `sort-keys` and `camelcase-keys` library.
|
||||
Affected packages are
|
||||
[sort-keys](https://npmjs.com/package/sort-keys),
|
||||
[camelcase-keys](https://npmjs.com/package/camelcase-keys)
|
||||
@@ -1,3 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Some methods from the DOM API are now modeled more precisely, potentially
|
||||
leading to more `js/xss` results.
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Added support for more templating languages.
|
||||
- EJS, Mustache, Handlebars, Nunjucks, Hogan, and Swig are now supported.
|
||||
- Template tags from the above dialects are now recognized as sinks
|
||||
when not escaped safely for the context, leading to additional results for `js/xss` and `js/code-injection`.
|
||||
- Files with the extension `.ejs`, `.hbs`, or `.njk` are now extracted and analyzed.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Hard-coded credentials" (`js/hardcoded-credentials`) no longer flags deliberately weak authentication headers.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/xss` query now reports fewer false positives in cases where
|
||||
`location.hash` flows to a jQuery `$()` call in a way that preserves
|
||||
the `#` prefix.
|
||||
@@ -1,6 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Some library files have been deprecated, which may affect custom queries.
|
||||
Queries importing a data-flow configuration from `semmle.javascript.security.dataflow` should
|
||||
ensure that the imported file ends with `Query`, and only import its top-level module.
|
||||
For example, a query that imported `DomBasedXss::DomBasedXss` should from now on import `DomBasedXssQuery`
|
||||
instead.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The `js/incomplete-multi-character-sanitization` query now flags more regular expressions that can result in bad sanitization.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The class `Vue::Instance` has been renamed to `Vue::Component`.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Added `Locatable.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user