12 KiB
Improvements to JavaScript analysis
General improvements
-
Improved modeling of data flow through destructuring assignments may give additional results for the security queries and other queries that rely on data flow.
-
Improved modeling of global variables may give more true-positive results and fewer false-positive results for a variety of queries.
-
Improved modeling of re-export declarations may result in fewer false-positive results for a variety of queries.
-
Improved modeling of taint flow through array operations may give additional results for the security queries.
-
The taint tracking library recognizes more ways in which taint propagates. In particular, some flow through string formatters is now recognized. This may give additional results for the security queries.
-
The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
-
Type inference for simple function calls has been improved. This may give additional results for queries that rely on type inference.
-
Additional heuristics have been added to
semmle.javascript.heuristics. Addimport semmle.javascript.heuristics.allto a query in order to activate all of the heuristics at once. -
Handling of ambient TypeScript code has been improved. As a result, fewer false-positive results will be reported in
.d.tsfiles. -
Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries: axios, bluebird, browserid-crypto, compose-function, cookie-parser, cookie-session, cross-fetch, crypto-js, deep-assign, deep-extend, deep-merge, deep, deepmerge, defaults-deep, defaults, dottie, dotty, ent, entities, escape-goat, express-jwt, express-session, extend-shallow, extend, extend2, fast-json-parse, forge, format-util, got, global, he, html-entities, isomorphic-fetch, jquery, js-extend, json-parse-better-errors, json-parse-safe, json-safe-parse, just-compose, just-extend, lodash, merge-deep, merge-options, merge, mixin-deep, mixin-object, MySQL2, node.extend, node-fetch, object-assign, object.assign, object.defaults, parse-json, printf, printj, q, ramda, request, request-promise, request-promise-any, request-promise-native, React Native, safe-json-parse, sanitize, sanitizer, smart-extend, sprintf.js, string-template, superagent, underscore, util-extend, utils-merge, validator, xss, xtend.
New queries
| Query | Tags | Purpose |
|---|---|---|
Clear-text logging of sensitive information (js/clear-text-logging) |
security, external/cwe/cwe-312, external/cwe/cwe-315, external/cwe/cwe-359 | Highlights logging of sensitive information, indicating a violation of CWE-312. Results shown on LGTM by default. |
Disabling Electron webSecurity (js/disabling-electron-websecurity) |
security, frameworks/electron | Highlights Electron browser objects that are created with the webSecurity property set to false. Results shown on LGTM by default. |
Enabling Electron allowRunningInsecureContent (js/enabling-electron-insecure-content) |
security, frameworks/electron | Highlights Electron browser objects that are created with the allowRunningInsecureContent property set to true. Results shown on LGTM by default. |
Uncontrolled data used in remote request (js/request-forgery) |
security, external/cwe/cwe-918 | Highlights remote requests that are built from unsanitized user input, indicating a violation of CWE-918. Results are hidden on LGTM by default. |
Use of externally-controlled format string (js/tainted-format-string) |
security, external/cwe/cwe-134 | Highlights format strings containing user-provided data, indicating a violation of CWE-134. Results shown on LGTM by default. |
Changes to existing queries
| Query | Expected impact | Change |
|---|---|---|
Arguments redefined (js/arguments-redefinition) |
Fewer results | This query previously also flagged redefinitions of eval. This was an oversight that is now fixed. |
Comparison between inconvertible types (js/comparison-between-incompatible-types) |
Fewer results | This query now flags fewer comparisons involving parameters. The severity of this query has been revised to "warning". |
CORS misconfiguration for credentials transfer (js/cors-misconfiguration-for-credentials) |
More true-positive results | This query now treats header names case-insensitively. |
Hard-coded credentials (js/hardcoded-credentials) |
More true-positive results | This query now recognizes secret cryptographic keys. |
Incomplete string escaping or encoding (js/incomplete-sanitization) |
New name, more true-positive results | The "Incomplete sanitization" query has been renamed to more clearly reflect its purpose. It now recognizes incomplete URL encoding and decoding. |
Insecure randomness (js/insecure-randomness) |
More true-positive results | This query now recognizes secret cryptographic keys. |
Misleading indentation after control statement (js/misleading-indentation-after-control-statement) |
Fewer results | This query temporarily ignores TypeScript files. |
Missing rate limiting (js/missing-rate-limiting) |
More true-positive results, fewer false-positive results | This query now recognizes additional rate limiters and expensive route handlers. |
Omitted array element (js/omitted-array-element) |
Fewer results | This query temporarily ignores TypeScript files. |
Reflected cross-site scripting (js/reflected-xss) |
Fewer false-positive results | This query now treats header names case-insensitively. |
Semicolon insertion (js/automatic-semicolon-insertion) |
Fewer results | This query temporarily ignores TypeScript files. |
Server-side URL redirect (js/server-side-unvalidated-url-redirection) |
More true-positive results | This query now treats header names case-insensitively. |
Superfluous trailing arguments (js/superfluous-trailing-arguments) |
Fewer false-positive results | This query now ignores calls to some empty functions. |
Type confusion through parameter tampering (js/type-confusion-through-parameter-tampering) |
Fewer false-positive results | This query no longer flags emptiness checks. |
Uncontrolled command line (js/command-line-injection) |
More true-positive results | This query now recognizes indirect command injection through sh -c and similar. |
Unused variable, import, function or class (js/unused-local-variable) |
New name, fewer results | The "Unused variable" query has been renamed to reflect the fact that it highlights different kinds of unused program elements. In addition, the query no longer highlights class expressions that could be made anonymous. While technically true, these results are not interesting. |
Use of incompletely initialized object (js/incomplete-object-initialization) |
Fewer results | This query now highlights the constructor instead of its erroneous this or super expressions. |
Useless conditional (js/trivial-conditional) |
Fewer results | This query no longer flags uses of boolean return values and highlights fewer comparisons involving parameters. |
Changes to QL libraries
- HTTP and HTTPS requests made using the Node.js
http.requestandhttps.requestAPIs, and the ElectronElectron.net.requestandElectron.ClientRequestAPIs, are modeled asRemoteFlowSources. - HTTP header names are now always normalized to lower case to reflect the fact that they are case insensitive. In particular, the result of
HeaderDefinition.getAHeaderName, and the first parameter ofHeaderDefinition.defines,ExplicitHeaderDefinition.definesExplicitly, andRouteHandler.getAResponseHeaderare now always a lower-case string. - New AST nodes have been added for TypeScript 2.9 and 3.0 features.
- The class
JsonParseCallhas been deprecated. Update your queries to useJsonParserCallinstead. - The handling of spread arguments in the data flow library has been changed:
DataFlow::InvokeNode.getArgument(i)is now only defined when there is no spread argument at or before argument positioni, and similarlyInvokeNode.getNumArgumentis only defined for invocations without spread arguments.