codeql/4.0.0.md at 2720f5796590f4eaf8c855ea1fef542e7eb6077c

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00

Files

github-actions[bot] 96564b7128 Release preparation for version 2.20.0

2024-12-04 16:01:14 +00:00

4.0.0

Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

Added support for data-flow through member accesses of objects with dynamic types.
Only extract public and protected members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using Field-based summaries may need to be changed to SyntheticField-based flows if they reference private fields.
Added Microsoft.AspNetCore.Components.NagivationManager::Uri as a remote flow source, since this value may contain user-specified values.
Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
- System.Web.HttpUtility::ParseQueryString
- Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery
- Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery
Added js-interop sinks for the InvokeAsync and InvokeVoidAsync methods of Microsoft.JSInterop.IJSRuntime, which can run arbitrary JavaScript.