JS: Change note and updated help

2020-06-15 17:34:36 +01:00 · 2020-06-15 17:34:36 +01:00 · 824054ba62
--- a/change-notes/1.25/analysis-javascript.md
+++ b/change-notes/1.25/analysis-javascript.md
@ -46,6 +46,7 @@
 | Hard-coded credentials (`js/hardcoded-credentials`) | More results | This query now recognizes hard-coded credentials sent via HTTP authorization headers. |
 | Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional url scheme checks. |
 | Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
+| Non-linear pattern (`js/non-linear-pattern`) | Fewer duplicates and message changed | This query now generates fewer duplicate alerts and has a clearer explanation in case of type annotations used in a pattern. |
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
--- a/javascript/ql/src/LanguageFeatures/NonLinearPattern.qhelp
+++ b/javascript/ql/src/LanguageFeatures/NonLinearPattern.qhelp
@ -8,6 +8,11 @@ If the same pattern variable is bound multiple times in the same object or array
 binding overwrites all of the earlier ones. This is most likely unintended and should be avoided.
 </p>

+<p>
+In TypeScript, a common mistake is to try to write type annotations inside a pattern. This is not
+possible, and the type annotation should come after the pattern.
+</p>
+
 </overview>
 <recommendation>

@ -34,6 +39,21 @@ From context, it appears that the second binding should have been for variable <

 <sample src="examples/NonLinearPatternGood.js" />

+<p>
+This can sometimes happen in TypeScript, due to the apparant similarity between property patterns
+and type annotations. In the following example, the function uses a pattern parameter with properties <code>x</code>
+and <code>y</code>. These appear to have type <code>number</code>, but are in fact untyped properties both stored in a variable named <code>number</code>.
+</p>
+
+<sample src="examples/NonLinearPatternTS.ts" />
+
+<p>
+It is not possible to specify type annotations inside a pattern. The correct way is to specify the type
+after the parameter:
+</p>
+
+<sample src="examples/NonLinearPatternTSGood.ts" />
+
 </example>
 <references>
 <li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Destructuring_assignment">Destructuring assignment</a>.</li>
--- a/javascript/ql/src/LanguageFeatures/examples/NonLinearPatternTS.ts
+++ b/javascript/ql/src/LanguageFeatures/examples/NonLinearPatternTS.ts
@ -0,0 +1,3 @@
+function distance({x: number, y: number}) {
+    return Math.sqrt(x*x + y*y);
+}
--- a/javascript/ql/src/LanguageFeatures/examples/NonLinearPatternTSGood.ts
+++ b/javascript/ql/src/LanguageFeatures/examples/NonLinearPatternTSGood.ts
@ -0,0 +1,3 @@
+function distance({x, y}: {x: number, y: number}) {
+    return Math.sqrt(x*x + y*y);
+}