mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
26 lines
1.5 KiB
Markdown
26 lines
1.5 KiB
Markdown
## 0.8.7
|
|
|
|
### New Features
|
|
|
|
* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
|
|
* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.
|
|
|
|
### Minor Analysis Improvements
|
|
|
|
* Deleted many deprecated predicates and classes with uppercase `EJB`, `JMX`, `NFE`, `DNS` etc. in their names. Use the PascalCased versions instead.
|
|
* Deleted the deprecated `semmle/code/java/security/OverlyLargeRangeQuery.qll`, `semmle/code/java/security/regexp/ExponentialBackTracking.qll`, `semmle/code/java/security/regexp/NfaUtils.qll`, and `semmle/code/java/security/regexp/NfaUtils.qll` files.
|
|
* Improved models for `java.lang.Throwable` and `java.lang.Exception`, and the `valueOf` method of `java.lang.String`.
|
|
* Added taint tracking for the following GSON methods:
|
|
* `com.google.gson.stream.JsonReader` constructor
|
|
* `com.google.gson.stream.JsonWriter` constructor
|
|
* `com.google.gson.JsonObject.getAsJsonArray`
|
|
* `com.google.gson.JsonObject.getAsJsonObject`
|
|
* `com.google.gson.JsonObject.getAsJsonPrimitive`
|
|
* `com.google.gson.JsonParser.parseReader`
|
|
* `com.google.gson.JsonParser.parseString`
|
|
* Added a dataflow model for `java.awt.Desktop.browse(URI)`.
|
|
|
|
### Bug Fixes
|
|
|
|
* Fixed regular expressions containing flags not being parsed correctly in some cases.
|