|
4 | 4 |
|
5 | 5 | * Modelling of taint flow through array operations has been improved. This may give additional results for the security queries. |
6 | 6 |
|
| 7 | +* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries. |
| 8 | + |
7 | 9 | * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features: |
8 | 10 | - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby) |
9 | 11 |
|
| 12 | +* The type inference now handles nested imports (that is, imports not appearing at the toplevel). This may yield fewer false-positive results on projects that use this non-standard language feature. |
10 | 13 |
|
11 | 14 | ## New queries |
12 | 15 |
|
13 | 16 | | **Query** | **Tags** | **Purpose** | |
14 | 17 | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
15 | 18 | | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. | |
| 19 | +| File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. | |
| 20 | +| Host header poisoning in email generation | security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | |
| 21 | +| Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. | |
16 | 22 | | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. | |
| 23 | +| Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. | |
| 24 | +| User-controlled data in file | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Results are not shown on LGTM by default. | |
17 | 25 |
|
18 | 26 | ## Changes to existing queries |
19 | 27 |
|
20 | 28 | | **Query** | **Expected impact** | **Change** | |
21 | 29 | |--------------------------------|----------------------------|----------------------------------------------| |
| 30 | +| Useless assignment to local variable | Fewer false-positive results | This rule now recognizes additional ways default values can be set. | |
22 | 31 | | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. | |
23 | 32 | | Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. | |
24 | 33 | | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | |
25 | 34 | | Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. | |
| 35 | +| Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. | |
| 36 | +| Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. | |
26 | 37 |
|
27 | 38 | ## Changes to QL libraries |
| 39 | + |
| 40 | +* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`). |
| 41 | + |
| 42 | +* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting. |
| 43 | + |
| 44 | +* `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above. |
0 commit comments