mirror of
https://github.com/github/codeql.git
synced 2025-12-17 09:13:20 +01:00
17 lines
1.3 KiB
Markdown
17 lines
1.3 KiB
Markdown
## 4.0.0
|
|
|
|
### Breaking Changes
|
|
|
|
* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
|
|
|
|
### Minor Analysis Improvements
|
|
|
|
* Added support for data-flow through member accesses of objects with `dynamic` types.
|
|
* Only extract *public* and *protected* members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using `Field`-based summaries may need to be changed to `SyntheticField`-based flows if they reference private fields.
|
|
* Added `Microsoft.AspNetCore.Components.NagivationManager::Uri` as a remote flow source, since this value may contain user-specified values.
|
|
* Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
|
|
- `System.Web.HttpUtility::ParseQueryString`
|
|
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
|
|
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
|
|
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
|