codeql/javascript/change-notes/2020-11-25-prototype-pollution.md

lgtm,codescanning

• We've improved the detection of prototype pollution, and the queries involved have been reorganized:
  • A new query "Prototype-polluting assignment" (js/prototype-polluting-assignment) has been added. This query highlights direct modifications of an object obtained via a user-controlled property name, which may accidentally alter Object.prototype.
  • The query previously named "Prototype pollution" (js/prototype-pollution) has been renamed to "Prototype-polluting merge call". This highlights indirect modification of Object.prototype via an unsafe merge call taking a user-controlled object as argument.
  • The query previously named "Prototype pollution in utility function" (js/prototype-pollution-utility) has been renamed to "Prototype-polluting function". This query highlights the implementation of an unsafe merge function, to ensure a robust API is exposed downstream.
  • The above queries have been moved to the Security/CWE-915 folder, and assigned the following tags: CWE-078, CWE-079, CWE-094, CWE-400, and CWE-915.
  • The query "Type confusion through parameter tampering" (js/type-confusion-through-parameter-tampering) now highlights ineffective prototype pollution checks that can be bypassed by type confusion.