hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 23:56:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b29b314f4e951689e4000ee6cfb0d24f01948148
codeql/change-notes/1.19/analysis-javascript.md
Esben Sparre Andreasen 358b6c3413 JS: change "remote request" to "network request"
2018-10-10 15:34:39 +02:00

5.2 KiB
Raw Blame History

Improvements to JavaScript analysis

General improvements

  • Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.

  • The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.

  • Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:

  • The type inference now handles nested imports (that is, imports not appearing at the toplevel). This may yield fewer false-positive results on projects that use this non-standard language feature.

New queries

Query Tags Purpose
Enabling Node.js integration for Electron web content renderers (js/enabling-electron-renderer-node-integration) security, frameworks/electron, external/cwe/cwe-094 Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of CWE-94. Results are not shown on LGTM by default.
File data in outbound network request security, external/cwe/cwe-200 Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default.
Host header poisoning in email generation security, external/cwe/cwe-640 Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of CWE-640. Results shown on LGTM by default.
Replacement of a substring with itself (js/identity-replacement) correctness, security, external/cwe/cwe-116 Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default.
Stored cross-site scripting (js/stored-xss) security, external/cwe/cwe-079, external/cwe/cwe-116 Highlights uncontrolled stored values flowing into HTML content, indicating a violation of CWE-079. Results shown on LGTM by default.
Unclear precedence of nested operators (js/unclear-operator-precedence) maintainability, correctness, external/cwe/cwe-783 Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default.
User-controlled data in file security, external/cwe/cwe-912 Highlights locations where user-controlled data is written to a file. Results are not shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Useless assignment to local variable Fewer false-positive results This rule now recognizes additional ways default values can be set.
Regular expression injection Fewer false-positive results This rule now identifies calls to String.prototype.search with more precision.
Unbound event handler receiver Fewer false-positive results This rule now recognizes additional ways class methods can be bound.
Remote property injection Fewer results The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default.
Missing CSRF middleware Fewer false-positive results This rule now recognizes additional CSRF protection middlewares.
Server-side URL redirect More results This rule now recognizes redirection calls in more cases.
Whitespace contradicts operator precedence Fewer false-positive results This rule no longer flags operators with asymmetric whitespace.

Changes to QL libraries

  • The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class FlowLabel (which can also be referred to by its alias TaintKind).

  • The DataFlow::ThisNode class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual this expression. This means getALocalSource now maps all this expressions within a given function to the same source. The data-flow node associated with a ThisExpr can no longer be cast to DataFlow::SourceNode or DataFlow::ThisNode - it is recomended to use getALocalSource before casting or instead of casting.

  • ReactComponent::getAThisAccess has been renamed to getAThisNode. The old name is still usable but is deprecated. It no longer gets individual this expressions, but the ThisNode mentioned above.