codeql/change-notes/1.25/analysis-javascript.md

Improvements to JavaScript analysis

General improvements

• Support for the following frameworks and libraries has been improved:

  • bluebird
  • express
  • fstream
  • jGrowl
  • jQuery
  • marsdb
  • minimongo
  • mssql
  • mysql
  • pg
  • Promise
  • sequelize
  • spanner
  • sqlite
  • ssh2
  • ssh2-streams

• TypeScript 3.9 is now supported.

New queries

Query	Tags	Purpose
Cross-site scripting through DOM (js/xss-through-dom)	security, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default.
Incomplete HTML attribute sanitization (js/incomplete-html-attribute-sanitization)	security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default.
Unsafe expansion of self-closing HTML tag (js/unsafe-html-expansion)	security, external/cwe/cwe-079, external/cwe/cwe-116	Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags.
Unsafe shell command constructed from library input (js/shell-command-constructed-from-input)	correctness, security, external/cwe/cwe-078, external/cwe/cwe-088	Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default.

Changes to existing queries

Query	Expected impact	Change
Misspelled variable name (js/misspelled-variable-name)	Message changed	The message for this query now correctly identifies the misspelled variable in additional cases.
Uncontrolled data used in path expression (js/path-injection)	More results	This query now recognizes additional file system calls.
Uncontrolled command line (js/command-line-injection)	More results	This query now recognizes additional command execution calls.
Client-side URL redirect (js/client-side-unvalidated-url-redirection)	Less results	This query now recognizes additional safe patterns of doing URL redirects.
Client-side cross-site scripting (js/xss)	Less results	This query now recognizes additional safe strings based on URLs.
Incomplete URL scheme check (js/incomplete-url-scheme-check)	More results	This query now recognizes additional url scheme checks.
Prototype pollution in utility function (js/prototype-pollution-utility)	More results	This query now recognizes additional utility functions as vulnerable to prototype polution.
Expression has no effect (js/useless-expression)	Less results	This query no longer flags an expression when that expression is the only content of the containing file.
Unknown directive (js/unknown-directive)	Less results	This query no longer flags directives generated by the Babel compiler.
Code injection (js/code-injection)	More results	More potential vulnerabilities involving NoSQL code operators are now recognized.
Zip Slip (js/zipslip)	More results	This query now recognizes additional vulnerabilities.
Unused property (js/unused-property)	Less results	This query no longer flags properties of objects that are operands of yield expressions.

The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):

• js/angular/dead-event-listener
• js/angular/unused-dependency
• js/conflicting-html-attribute
• js/useless-assignment-to-global
• js/too-many-parameters
• js/unused-property
• js/bitwise-sign-check
• js/comparison-of-identical-expressions
• js/misspelled-identifier
• js/jsdoc/malformed-param-tag
• js/jsdoc/unknown-parameter
• js/jsdoc/missing-parameter
• js/omitted-array-element
• js/ignored-setter-parameter
• js/json-in-javascript-file
• js/node/cyclic-import
• js/node/unused-npm-dependency
• js/single-run-loop
• js/nested-loops-with-same-variable
• js/return-outside-function

Changes to libraries

• A library semmle.javascript.explore.CallGraph has been added to help write queries for exploring the call graph.
• Added data flow for Map and Set, and added matching type-tracking steps that can accessed using the CollectionsTypeTracking module.
• The data-flow node representing a parameter or destructuring pattern is now always the ValueNode corresponding to that AST node. This has a few consequences:
  • Parameter.flow() now gets the correct data flow node for a parameter. Previously this had a result, but the node was disconnected from the data flow graph.
  • ParameterNode.asExpr() and .getAstNode() now gets the parameter's AST node, whereas previously it had no result.
  • Expr.flow() now has a more meaningful result for destructuring patterns. Previously this node was disconnected from the data flow graph. Now it represents the values being destructured by the pattern.