hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
codeql/change-notes/1.23/analysis-javascript.md
Felicity Chapman 4070992273 Fix sort order
2019-11-27 12:38:39 +00:00

8.2 KiB
Raw Permalink Blame History

Improvements to JavaScript analysis

General improvements

  • Automatic classification of generated and minified files has been improved, in particular files generated by Doxygen are now recognized.

  • Support for globalThis has been added.

  • Support for the following frameworks and libraries has been improved:

  • The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.

  • TypeScript 3.6 and 3.7 features are now supported.

New queries

Query Tags Purpose
Ignoring result from pure array method (js/ignore-array-result) maintainability, correctness Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default.
Incomplete URL scheme check (js/incomplete-url-scheme-check) security, correctness, external/cwe/cwe-020 Highlights checks for javascript: URLs that do not take data: or vbscript: URLs into account. Results are shown on LGTM by default.
Loop bound injection (js/loop-bound-injection) security, external/cwe/cwe-834 Highlights loops where a user-controlled object with an arbitrary .length value can trick the server into looping indefinitely. Results are shown on LGTM by default.
Shell command built from environment values (js/shell-command-injection-from-environment) correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of CWE-78. Results are shown on LGTM by default.
Suspicious method name (js/suspicious-method-name-declaration) correctness, typescript, methods Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default.
Unreachable method overloads (js/unreachable-method-overloads) correctness, typescript Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default.
Unused index variable (js/unused-index-variable) correctness Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default.
Use of returnless function (js/use-of-returnless-function) maintainability, correctness Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default.
Useless regular expression character escape (js/useless-regexp-character-escape) correctness, security, external/cwe/cwe-20 Highlights regular expression strings with useless character escapes, indicating a possible violation of CWE-20. Results are shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Client-side cross-site scripting (js/xss) More results, fewer false positive results More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected.
Code injection (js/code-injection) More results More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized.
Hard-coded credentials (js/hardcoded-credentials) Fewer false positive results This rule now flags fewer password examples.
Illegal invocation (js/illegal-invocation) Fewer false positive results This rule now correctly handles methods named call and apply.
Incomplete string escaping or encoding (js/incomplete-sanitization) Fewer false positive results This rule now recognizes additional ways delimiters can be stripped away.
Incorrect suffix check (js/incorrect-suffix-check) Fewer false positive results The query recognizes valid checks in more cases.
Network data written to file (js/http-to-file-access) Fewer false positive results This query has been renamed to better match its intended purpose, and now only considers network data untrusted.
Password in configuration file (js/password-in-configuration-file) Fewer false positive results This rule now flags fewer password examples.
Prototype pollution (js/prototype-pollution) More results The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default.
Reflected cross-site scripting (js/reflected-xss) Fewer false positive results The query now recognizes more sanitizers.
Stored cross-site scripting (js/stored-xss) Fewer false positive results The query now recognizes more sanitizers.
Uncontrolled command line (js/command-line-injection) More results This query now treats responses from servers as untrusted.
Uncontrolled data used in path expression (js/path-injection) Fewer false positive results This query now recognizes calls to Express sendFile as safe in some cases.
Unknown directive (js/unknown-directive) Fewer false positive results This query no longer flags uses of ":", which is sometimes used like a directive.

Changes to libraries

  • Expr.getDocumentation() now handles chain assignments.
  • String literals are now parsed as regular expressions. Consequently, a RegExpTerm may occur as part of a string literal or as a regular expression literal. Queries that search for regular expressions may need to use RegExpTerm.isPartOfRegExpLiteral or RegExpTerm.isUsedAsRegExp to restrict the search. A regular expression AST can be obtained from a string literal using StringLiteral.asRegExp.

Removal of deprecated queries

The following queries (deprecated since 1.17) are no longer available in the distribution:

  • Bad parity check (js/incomplete-parity-check)
  • Builtin redefined (js/builtin-redefinition)
  • Call to parseInt without radix (js/parseint-without-radix)
  • Inefficient method definition (js/method-definition-in-constructor)
  • Invalid JSLint directive (js/jslint/invalid-directive)
  • Malformed JSLint directive (js/jslint/malformed-directive)
  • Multi-line string literal (js/multi-line-string)
  • Octal literal (js/octal-literal)
  • Potentially misspelled property or variable name (js/wrong-capitalization)
  • Reserved word used as variable name (js/use-of-reserved-word)
  • Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
  • Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
  • Use of HTML comments (js/html-comment)