11 KiB
Improvements to JavaScript analysis
General improvements
-
Additional heuristics have been added to
semmle.javascript.heuristics. Addimport semmle.javascript.heuristics.allto a query in order to activate all of the heuristics at once. -
Modelling of data flow through destructuring assignments has been improved. This may give additional results for the security queries and other queries that rely on data flow.
-
Modelling of global variables has been improved. This may give more true-positive results and fewer false-positive results for a variety of queries.
-
Modelling of re-export declarations has been improved. This may result in fewer false-positive results for a variety of queries.
-
Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
-
The taint tracking library recognizes more ways in which taint propagates. In particular, some flow through string formatters is now recognized. This may give additional results for the security queries.
-
The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
-
Type inference for simple function calls has been improved. This may give additional results for queries that rely on type inference.
-
Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries:
- bluebird
- browserid-crypto
- compose-function
- cookie-parser
- cookie-session
- crypto-js
- deep-assign
- deep-extend
- deep-merge
- deep
- deepmerge
- defaults-deep
- defaults
- dottie
- dotty
- ent
- entities
- escape-goat
- express-jwt
- express-session
- extend-shallow
- extend
- extend2
- fast-json-parse
- forge
- format-util
- global
- he
- html-entities
- jquery
- js-extend
- json-parse-better-errors
- json-parse-safe
- json-safe-parse
- just-compose
- just-extend
- lodash
- merge-deep
- merge-options
- merge
- mixin-deep
- mixin-object
- MySQL2
- node.extend
- object-assign
- object.assign
- object.defaults
- parse-json
- printf
- printj
- q
- ramda
- React Native
- safe-json-parse
- sanitize
- sanitizer
- smart-extend
- sprintf.js
- string-template
- underscore
- util-extend
- utils-merge
- validator
- xss
- xtend
-
Handling of ambient TypeScript code has been improved. As a result, fewer false positives will be reported in
.d.tsfiles.
New queries
| Query | Tags | Purpose |
|---|---|---|
Clear-text logging of sensitive information (js/clear-text-logging) |
security, external/cwe/cwe-312, external/cwe/cwe-315, external/cwe/cwe-359 | Highlights logging of sensitive information, indicating a violation of CWE-312. Results shown on LGTM by default. |
Disabling Electron webSecurity (js/disabling-electron-websecurity) |
security, frameworks/electron | Highlights Electron browser objects that are created with the webSecurity property set to false. Results shown on LGTM by default. |
Enabling Electron allowRunningInsecureContent (js/enabling-electron-insecure-content) |
security, frameworks/electron | Highlights Electron browser objects that are created with the allowRunningInsecureContent property set to true. Results shown on LGTM by default. |
Use of externally-controlled format string (js/tainted-format-string) |
security, external/cwe/cwe-134 | Highlights format strings containing user-provided data, indicating a violation of CWE-134. Results shown on LGTM by default. |
Changes to existing queries
| Query | Expected impact | Change |
|---|---|---|
| Arguments redefined | Fewer results | This rule previously also flagged redefinitions of eval. This was an oversight that is now fixed. |
| Comparison between inconvertible types | Fewer results | This rule now flags fewer comparisons involving parameters. |
| Comparison between inconvertible types | Lower severity | The severity of this rule has been revised to "warning". |
| CORS misconfiguration for credentials transfer | More true-positive results | This rule now treats header names case-insensitively. |
| Hard-coded credentials | More true-positive results | This rule now recognizes secret cryptographic keys. |
| Incomplete string escaping or encoding | Better name, more true-positive results | This rule has been renamed to more clearly reflect its purpose. Also, it now recognizes incomplete URL encoding and decoding. |
| Insecure randomness | More true-positive results | This rule now recognizes secret cryptographic keys. |
| Misleading indentation after control statement | Fewer results | This rule temporarily ignores TypeScript files. |
| Missing rate limiting | More true-positive results, fewer false-positive results | This rule now recognizes additional rate limiters and expensive route handlers. |
| Missing X-Frame-Options HTTP header | Fewer false-positive results | This rule now treats header names case-insensitively. |
| Omitted array element | Fewer results | This rule temporarily ignores TypeScript files. |
| Reflected cross-site scripting | Fewer false-positive results | This rule now treats header names case-insensitively. |
| Semicolon insertion | Fewer results | This rule temporarily ignores TypeScript files. |
| Server-side URL redirect | More true-positive results | This rule now treats header names case-insensitively. |
| Superfluous trailing arguments | Fewer false-positive results | This rule now ignores calls to some empty functions. |
| Type confusion through parameter tampering | Fewer false-positive results | This rule no longer flags emptiness checks. |
| Uncontrolled command line | More true-positive results | This rule now recognizes indirect command injection through sh -c and similar. |
| Unused variable | Fewer results | This rule no longer flags class expressions that could be made anonymous. While technically true, these results are not interesting. |
| Unused variable | Renamed | This rule has been renamed to "Unused variable, import, function or class" to reflect the fact that it flags different kinds of unused program elements. |
| Use of incompletely initialized object | Fewer results | This rule now flags the constructor instead its errorneous this or super expressions. |
| Useless conditional | Fewer results | This rule no longer flags uses of boolean return values. |
| Useless conditional | Fewer results | This rule now flags fewer comparisons involving parameters. |
Changes to QL libraries
- HTTP and HTTPS requests made using the Node.js
http.requestandhttps.requestAPIs and the ElectronElectron.net.requestandElectron.ClientRequestAPIs are modeled asRemoteFlowSources. - HTTP header names are now always normalized to lower case to reflect the fact that they are case insensitive. In particular, the result of
HeaderDefinition.getAHeaderName, and the first parameter ofHeaderDefinition.defines,ExplicitHeaderDefinition.definesExplicitlyandRouteHandler.getAResponseHeaderis now always a lower-case string. - New AST nodes have been added for TypeScript 2.9 and 3.0 features.
- The class
JsonParseCallhas been deprecated. UseJsonParserCallinstead. - The handling of spread arguments in the data flow library has been changed:
DataFlow::InvokeNode.getArgument(i)is now only defined when there is no spread argument at or before argument positioni, and similarlyInvokeNode.getNumArgumentis only defined for invocations without spread arguments.