зеркало из https://github.com/github/codeql.git
6.0 KiB
6.0 KiB
Improvements to JavaScript analysis
General improvements
-
Angular-specific taint sources and sinks are now recognized by the security queries.
-
Support for React has improved, with better handling of react hooks, react-router path parameters, lazy-loaded components, and components transformed using
react-reduxand/orstyled-components. -
Dynamic imports are now analyzed more precisely.
-
Support for the following frameworks and libraries has been improved:
- @angular/*
- AWS Serverless
- Alibaba Serverless
- debounce
- bluebird
- call-limit
- classnames
- clsx
- express
- fast-json-stable-stringify
- fast-safe-stringify
- http
- javascript-stringify
- js-stringify
- json-stable-stringify
- json-stringify-safe
- json3
- jQuery throttle / debounce
- lodash
- lodash.debounce
- lodash.throttle
- needle
- object-inspect
- pretty-format
- react
- react-router-dom
- react-redux
- redis
- redux
- stringify-object
- styled-components
- throttle-debounce
- underscore
-
Analyzing files with the ".cjs" extension is now supported.
-
ES2021 features are now supported.
New queries
| Query | Tags | Purpose |
|---|
Changes to existing queries
| Query | Expected impact | Change |
|---|---|---|
Potentially unsafe external link (js/unsafe-external-link) |
Fewer results | This query no longer flags URLs constructed using a template system where only the hash or query part of the URL is dynamic. |
Incomplete URL substring sanitization (js/incomplete-url-substring-sanitization) |
More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
Ambiguous HTML id attribute (js/duplicate-html-id) |
Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
Unused loop iteration variable (js/unused-loop-variable) |
Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
Unsafe shell command constructed from library input (js/shell-command-constructed-from-input) |
More results | This query now recognizes more commands where colon, dash, and underscore are used. |
Unsafe jQuery plugin (js/unsafe-jquery-plugin) |
More results | This query now detects more unsafe uses of nested option properties. |
Client-side URL redirect (js/client-side-unvalidated-url-redirection) |
More results | This query now recognizes some unsafe uses of importScripts() inside WebWorkers. |
Missing CSRF middleware (js/missing-token-validation) |
More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
Missing CSRF middleware (js/missing-token-validation) |
Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
Client-side cross-site scripting (js/xss) |
More results | This query now tracks data flow from location.hash more precisely. |
Changes to libraries
- The predicate
TypeAnnotation.hasQualifiedNamenow works in more cases when the imported library was not present during extraction. - The class
DomBasedXss::Configurationhas been deprecated, as it has been split intoDomBasedXss::HtmlInjectionConfigurationandDomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration. Unless specifically working with jQuery sinks, subclasses should instead be based onHtmlInjectionConfiguration. To use both configurations in a query, see Xss.ql for an example.