hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
236e1f7955a66a94562aa003253dd8d43093e7fd
codeql/change-notes/1.23/analysis-javascript.md
Felicity Chapman 236e1f7955 Update change notes for name change
2019-11-01 12:27:43 +00:00

6.9 KiB
Raw Blame History

Improvements to JavaScript analysis

General improvements

  • Suppor for globalThis has been added.

  • Support for the following frameworks and libraries has been improved:

  • The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.

  • TypeScript 3.6 features are supported.

New queries

Query Tags Purpose
Unused index variable (js/unused-index-variable) correctness Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default.
Loop bound injection (js/loop-bound-injection) security, external/cwe/cwe-834 Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default.
Suspicious method name (js/suspicious-method-name-declaration) correctness, typescript, methods Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default.
Shell command built from environment values (js/shell-command-injection-from-environment) correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of CWE-78. Results are shown on LGTM by default.
Use of returnless function (js/use-of-returnless-function) maintainability, correctness Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default.
Useless regular expression character escape (js/useless-regexp-character-escape) correctness, security, external/cwe/cwe-20 Highlights regular expression strings with useless character escapes, indicating a possible violation of CWE-20. Results are shown on LGTM by default.
Unreachable method overloads (js/unreachable-method-overloads) correctness, typescript Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Incomplete string escaping or encoding (js/incomplete-sanitization) Fewer false-positive results This rule now recognizes additional ways delimiters can be stripped away.
Client-side cross-site scripting (js/xss) More results, fewer false-positive results More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected.
Code injection (js/code-injection) More results More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized.
Hard-coded credentials (js/hardcoded-credentials) Fewer false-positive results This rule now flags fewer password examples.
Illegal invocation (js/illegal-invocation) Fewer false-positive results This rule now correctly handles methods named call and apply.
Incorrect suffix check (js/incorrect-suffix-check) Fewer false-positive results The query recognizes valid checks in more cases.
Network data written to file (js/http-to-file-access) Fewer false-positive results This query has been renamed to better match its intended purpose, and now only considers network data untrusted.
Password in configuration file (js/password-in-configuration-file) Fewer false-positive results This rule now flags fewer password examples.
Prototype pollution (js/prototype-pollution) More results The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default.
Reflected cross-site scripting (js/reflected-xss) Fewer false-positive results The query now recognizes more sanitizers.
Stored cross-site scripting (js/stored-xss) Fewer false-positive results The query now recognizes more sanitizers.
Uncontrolled command line (js/command-line-injection) More results This query now treats responses from servers as untrusted.
Uncontrolled data used in path expression (js/path-injection) Fewer false-positive results This query now recognizes calls to Express sendFile as safe in some cases.
Unknown directive (js/unknown-directive) Fewer false positive results This query no longer flags uses of ":", which is sometimes used like a directive.

Changes to libraries

  • Expr.getDocumentation() now handles chain assignments.

Removal of deprecated queries

The following queries (deprecated since 1.17) are no longer available in the distribution:

  • Builtin redefined (js/builtin-redefinition)
  • Inefficient method definition (js/method-definition-in-constructor)
  • Bad parity check (js/incomplete-parity-check)
  • Potentially misspelled property or variable name (js/wrong-capitalization)
  • Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
  • Invalid JSLint directive (js/jslint/invalid-directive)
  • Malformed JSLint directive (js/jslint/malformed-directive)
  • Use of HTML comments (js/html-comment)
  • Multi-line string literal (js/multi-line-string)
  • Octal literal (js/octal-literal)
  • Reserved word used as variable name (js/use-of-reserved-word)
  • Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
  • Call to parseInt without radix (js/parseint-without-radix)