hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
215682f67cda4c1fbb67db5bd32f0845769b5152
codeql/change-notes/1.25/analysis-javascript.md
Max Schaefer 215682f67c JavaScript: Add change note.
2020-05-26 10:49:30 +01:00

6.9 KiB
Raw Blame History

Improvements to JavaScript analysis

General improvements

New queries

Query Tags Purpose
Cross-site scripting through DOM (js/xss-through-dom) security, external/cwe/cwe-079, external/cwe/cwe-116 Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default.
Incomplete HTML attribute sanitization (js/incomplete-html-attribute-sanitization) security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default.
Unsafe expansion of self-closing HTML tag (js/unsafe-html-expansion) security, external/cwe/cwe-079, external/cwe/cwe-116 Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags.
Unsafe shell command constructed from library input (js/shell-command-constructed-from-input) correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Misspelled variable name (js/misspelled-variable-name) Message changed The message for this query now correctly identifies the misspelled variable in additional cases.
Uncontrolled data used in path expression (js/path-injection) More results This query now recognizes additional file system calls.
Uncontrolled command line (js/command-line-injection) More results This query now recognizes additional command execution calls.
Client-side URL redirect (js/client-side-unvalidated-url-redirection) Less results This query now recognizes additional safe patterns of doing URL redirects.
Client-side cross-site scripting (js/xss) Less results This query now recognizes additional safe strings based on URLs.
Incomplete URL scheme check (js/incomplete-url-scheme-check) More results This query now recognizes additional url scheme checks.
Prototype pollution in utility function (js/prototype-pollution-utility) More results This query now recognizes additional utility functions as vulnerable to prototype polution.
Expression has no effect (js/useless-expression) Less results This query no longer flags an expression when that expression is the only content of the containing file.
Unknown directive (js/unknown-directive) Less results This query no longer flags directives generated by the Babel compiler.
Code injection (js/code-injection) More results More potential vulnerabilities involving NoSQL code operators are now recognized.
Zip Slip (js/zipslip) More results This query now recognizes additional vulnerabilities.
Unused property (js/unused-property) Less results This query no longer flags properties of objects that are operands of yield expressions.
Prototype pollution in utility function (js/prototype-pollution-utility) More results This query now recognizes more coding patterns that are vulnerable to prototype pollution.

The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):

  • js/angular/dead-event-listener
  • js/angular/unused-dependency
  • js/conflicting-html-attribute
  • js/useless-assignment-to-global
  • js/too-many-parameters
  • js/unused-property
  • js/bitwise-sign-check
  • js/comparison-of-identical-expressions
  • js/misspelled-identifier
  • js/jsdoc/malformed-param-tag
  • js/jsdoc/unknown-parameter
  • js/jsdoc/missing-parameter
  • js/omitted-array-element
  • js/ignored-setter-parameter
  • js/json-in-javascript-file
  • js/node/cyclic-import
  • js/node/unused-npm-dependency
  • js/single-run-loop
  • js/nested-loops-with-same-variable
  • js/return-outside-function

Changes to libraries

  • A library semmle.javascript.explore.CallGraph has been added to help write queries for exploring the call graph.
  • Added data flow for Map and Set, and added matching type-tracking steps that can accessed using the CollectionsTypeTracking module.
  • The data-flow node representing a parameter or destructuring pattern is now always the ValueNode corresponding to that AST node. This has a few consequences:
    • Parameter.flow() now gets the correct data flow node for a parameter. Previously this had a result, but the node was disconnected from the data flow graph.
    • ParameterNode.asExpr() and .getAstNode() now gets the parameter's AST node, whereas previously it had no result.
    • Expr.flow() now has a more meaningful result for destructuring patterns. Previously this node was disconnected from the data flow graph. Now it represents the values being destructured by the pattern.
  • The global data-flow and taint-tracking libraries now model indirect parameter accesses through the arguments object in some cases, which may lead to additional results from some of the security queries, particularly "Prototype pollution in utility function".