diff --git a/change-notes/1.24/analysis-javascript.md b/change-notes/1.24/analysis-javascript.md index 1a666cea01cd..bbedb3bc1f4f 100644 --- a/change-notes/1.24/analysis-javascript.md +++ b/change-notes/1.24/analysis-javascript.md @@ -64,6 +64,7 @@ | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. | | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. | | Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. | +| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. | ## Changes to libraries diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll index d3bcc289a50c..0a5a701ab820 100644 --- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll +++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll @@ -63,10 +63,11 @@ module HeuristicNames { /** * Gets a regular expression that identifies strings that may indicate the presence of data - * that is hashed or encrypted, and hence rendered non-sensitive. + * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters + * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query). */ string notSensitive() { - result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?