codeql/change-notes/1.25/analysis-javascript.md

Improvements to JavaScript analysis

General improvements

• Support for the following frameworks and libraries has been improved:

  • Promise
  • bluebird
  • express
  • fastify
  • fstream
  • jGrowl
  • jQuery
  • marsdb
  • micro
  • minimongo
  • mssql
  • mysql
  • pg
  • sequelize
  • spanner
  • sqlite
  • ssh2-streams
  • ssh2
  • yargs

• TypeScript 3.9 is now supported.

• The analysis of sanitizers has improved, leading to more accurate results from the security queries.

New queries

Query	Tags	Purpose
Cross-site scripting through DOM (js/xss-through-dom)	security, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default.
Incomplete HTML attribute sanitization (js/incomplete-html-attribute-sanitization)	security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default.
Unsafe expansion of self-closing HTML tag (js/unsafe-html-expansion)	security, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags.
Unsafe shell command constructed from library input (js/shell-command-constructed-from-input)	correctness, security, external/cwe/cwe-078, external/cwe/cwe-088	Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default.
Download of sensitive file through insecure connection (js/insecure-download)	security, external/cwe/cwe-829	Highlights downloads of sensitive files through an unencrypted protocol. Results are shown on LGTM by default.
Exposure of private files (js/exposure-of-private-files)	security, external/cwe/cwe-200	Highlights servers that serve private files. Results are shown on LGTM by default.
Creating biased random numbers from a cryptographically secure source (js/biased-cryptographic-random)	security, external/cwe/cwe-327	Highlights mathematical operations on cryptographically secure numbers that can create biased results. Results are shown on LGTM by default.
Storage of sensitive information in build artifact (js/build-artifact-leak)	security, external/cwe/cwe-312	Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default.
Improper code sanitization (js/bad-code-sanitization)	security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116	Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default.

Changes to existing queries

Query	Expected impact	Change
Client-side cross-site scripting (js/xss)	Fewer results	This query now recognizes additional safe patterns of constructing HTML.
Client-side URL redirect (js/client-side-unvalidated-url-redirection)	Fewer results	This query now recognizes additional safe patterns of doing URL redirects.
Code injection (js/code-injection)	More results	More potential vulnerabilities involving NoSQL code operators are now recognized.
Expression has no effect (js/useless-expression)	Fewer results	This query no longer flags an expression when that expression is the only content of the containing file.
Hard-coded credentials (js/hardcoded-credentials)	More results	This query now recognizes hard-coded credentials sent via HTTP authorization headers.
Incomplete URL scheme check (js/incomplete-url-scheme-check)	More results	This query now recognizes additional url scheme checks.
Misspelled variable name (js/misspelled-variable-name)	Message changed	The message for this query now correctly identifies the misspelled variable in additional cases.
Prototype pollution in utility function (js/prototype-pollution-utility)	More results	This query now recognizes additional utility functions as vulnerable to prototype polution.
Uncontrolled command line (js/command-line-injection)	More results	This query now recognizes additional command execution calls.
Uncontrolled data used in path expression (js/path-injection)	More results	This query now recognizes additional file system calls.
Unknown directive (js/unknown-directive)	Fewer results	This query no longer flags directives generated by the Babel compiler.
Unused property (js/unused-property)	Fewer results	This query no longer flags properties of objects that are operands of yield expressions.
Zip Slip (js/zipslip)	More results	This query now recognizes additional vulnerabilities.

The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):

• js/angular/dead-event-listener
• js/angular/unused-dependency
• js/bitwise-sign-check
• js/comparison-of-identical-expressions
• js/conflicting-html-attribute
• js/ignored-setter-parameter
• js/jsdoc/malformed-param-tag
• js/jsdoc/missing-parameter
• js/jsdoc/unknown-parameter
• js/json-in-javascript-file
• js/misspelled-identifier
• js/nested-loops-with-same-variable
• js/node/cyclic-import
• js/node/unused-npm-dependency
• js/omitted-array-element
• js/return-outside-function
• js/single-run-loop
• js/too-many-parameters
• js/unused-property
• js/useless-assignment-to-global

Changes to libraries

• A library semmle.javascript.explore.CallGraph has been added to help write queries for exploring the call graph.
• Added data flow for Map and Set, and added matching type-tracking steps that can accessed using the CollectionsTypeTracking module.
• The data-flow node representing a parameter or destructuring pattern is now always the ValueNode corresponding to that AST node. This has a few consequences:
  • Parameter.flow() now gets the correct data flow node for a parameter. Previously this had a result, but the node was disconnected from the data flow graph.
  • ParameterNode.asExpr() and .getAstNode() now gets the parameter's AST node, whereas previously it had no result.
  • Expr.flow() now has a more meaningful result for destructuring patterns. Previously this node was disconnected from the data flow graph. Now it represents the values being destructured by the pattern.
• The global data-flow and taint-tracking libraries now model indirect parameter accesses through the arguments object in some cases, which may lead to additional results from some of the security queries, particularly "Prototype pollution in utility function".