No user-facing changes.
No user-facing changes.
- Added models for the
sqlite
andbetter-sqlite3
npm packages. - TypeScript 5.3 is now supported.
No user-facing changes.
No user-facing changes.
- The contents of
.jsp
files are now extracted, and any<script>
tags inside these files will be parsed as JavaScript. - Import attributes are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named
getImportAttributes()
that should be used in favor of the now deprecatedgetImportAssertion()
; in addition, thegetImportAttributes()
method of theDynamicImportExpr
has been renamed togetImportOptions()
. - Deleted the deprecated
getAnImmediateUse
,getAUse
,getARhs
, andgetAValueReachingRhs
predicates from theAPI::Node
class. - Deleted the deprecated
mayReferToParameter
predicate fromDataFlow::Node
. - Deleted the deprecated
getStaticMethod
andgetAStaticMethod
predicates fromDataFlow::ClassNode
. - Deleted the deprecated
isLibaryFile
predicate fromClassifyFiles.qll
, useisLibraryFile
instead. - Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
- Deleted the deprecated
semmle.javascript.security.performance
folder, usesemmle.javascript.security.regexp
instead. - Tagged template literals have been added to
DataFlow::CallNode
. This allows the analysis to find flow into functions called with a tagged template literal, and the arguments to a tagged template literal are part of the API-graph inApiGraphs.qll
.
No user-facing changes.
No user-facing changes.
- Added support for TypeScript 5.2.
No user-facing changes.
- Added
log-injection
as a customizable sink kind for log injection.
No user-facing changes.
- Added models for the Webix Framework.
No user-facing changes.
- Added support for TypeScript 5.1.
- Deleted many deprecated predicates and classes with uppercase
XML
,JSON
,URL
,API
, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
localTaintStep
predicate fromDataFlow.qll
. - Deleted the deprecated
stringStep
, andlocalTaintStep
predicates fromTaintTracking.qll
. - Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
- Deleted the deprecated
HtmlInjectionConfiguration
andJQueryHtmlOrSelectorInjectionConfiguration
classes fromDomBasedXssQuery.qll
, useConfiguration
instead. - Deleted the deprecated
DefiningIdentifier
class and theDefinitions.qll
file it was in. UseSsaDefinition
instead. - Deleted the deprecated
definitionReaches
,localDefinitionReaches
,getAPseudoDefinitionInput
,nextDefAfter
, andlocalDefinitionOverwrites
predicates fromDefUse.qll
. - Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
command-line-injection
tocommand-injection
credentials[kind]
tocredentials-kind
- Added a support of sub modules in
node_modules
.
- Improved the queries for injection vulnerabilities in GitHub Actions workflows (
js/actions/command-injection
andjs/actions/pull-request-target
) and the associated librarysemmle.javascript.Actions
. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections inactions/github-script
. It also detects simple injections from user controlled${{ env.name }}
. Additionally to theyml
extension now it also supports workflows with theyaml
extension.
- The Yaml.qll library was moved into a shared library pack named
codeql/yaml
to make it possible for other languages to re-use it. This change should be backwards compatible for existing JavaScript queries.
- Added support for TypeScript 5.0.
router.push
androuter.replace
inNext.js
are now considered as XSS sink.- The crypto-js module in
CryptoLibraries.qll
now supports progressive hashing with algo.update().
No user-facing changes.
- Deleted the deprecated
getPath
andgetFolder
predicates from theXmlFile
class. - Deleted the deprecated
getId
from theFunction
,NamespaceDefinition
, andImportEqualsDeclaration
classes. - Deleted the deprecated
flowsTo
predicate from theHTTP::Servers::RequestSource
andHTTP::Servers::ResponseSource
class. - Deleted the deprecated
getEventName
predicate from theSocketIO::ReceiveNode
,SocketIO::SendNode
,SocketIOClient::SendNode
classes. - Deleted the deprecated
RateLimitedRouteHandlerExpr
andRouteHandlerExpressionWithRateLimiter
classes. - Import assertions are now supported. Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.
- The
CryptographicOperation
concept has been changed to use a range pattern. This is a breaking change and existing implementations ofCryptographicOperation
will need to be updated in order to compile. These implementations can be updated by:- Extending
CryptographicOperation::Range
rather thanCryptographicOperation
- Renaming the
getInput()
member predicate asgetAnInput()
- Implementing the
BlockMode getBlockMode()
member predicate. The implementation for this can benone()
if the operation is a hashing operation or an encryption operation using a stream cipher.
- Extending
- Added dataflow sources for the express-ws library.
- Added sinks from the
node-pty
library to thejs/code-injection
query.
No user-facing changes.
- Improved support for Restify framework, leading to more results when scanning applications developed with this framework.
- Added support for the Spife framework.
- Deleted the deprecated
Instance
class from theVue
module. - Deleted the deprecated
VHtmlSourceWrite
class fromDomBasedXssQuery.qll
. - Deleted all the deprecated
[QueryName].qll
files from thejavascript/ql/lib/semmle/javascript/security/dataflow
folder, use the corresponding[QueryName]Query.qll
files instead. - The ReDoS libraries in
semmle.code.javascript.security.regexp
has been moved to a shared pack inside theshared/
folder, and the previous location has been deprecated.
No user-facing changes.
No user-facing changes.
- Added support for TypeScript 4.9.
No user-facing changes.
No user-facing changes.
- Several of the SQL and NoSQL library models have improved, leading to more results for the
js/sql-injection
query, and in some cases thejs/missing-rate-limiting
query.
-
Many library models have been rewritten to use dataflow nodes instead of the AST. The types of some classes have been changed, and these changes may break existing code. Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
-
The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break. The fix to these breakages is usually to use
asExpr()
to get an expression from a dataflow node, or to use.flow()
to get a dataflow node from an expression.- DOM.qll#WebStorageWrite
- CryptoLibraries.qll#CryptographicOperation
- Express.qll#Express::RequestBodyAccess
- HTTP.qll#HTTP::ResponseBody
- HTTP.qll#HTTP::CookieDefinition
- HTTP.qll#HTTP::ServerDefinition
- HTTP.qll#HTTP::RouteSetup
- NoSQL.qll#NoSql::Query
- SQL.qll#SQL::SqlString
- SQL.qll#SQL::SqlSanitizer
- HTTP.qll#ResponseBody
- HTTP.qll#CookieDefinition
- HTTP.qll#ServerDefinition
- HTTP.qll#RouteSetup
- HTTP.qll#HTTP::RedirectInvocation
- HTTP.qll#RedirectInvocation
- Express.qll#Express::RouterDefinition
- AngularJSCore.qll#LinkFunction
- Connect.qll#Connect::StandardRouteHandler
- CryptoLibraries.qll#CryptographicKeyCredentialsExpr
- AWS.qll#AWS::Credentials
- Azure.qll#Azure::Credentials
- Connect.qll#Connect::Credentials
- DigitalOcean.qll#DigitalOcean::Credentials
- Express.qll#Express::Credentials
- NodeJSLib.qll#NodeJSLib::Credentials
- PkgCloud.qll#PkgCloud::Credentials
- Request.qll#Request::Credentials
- ServiceDefinitions.qll#InjectableFunctionServiceRequest
- SensitiveActions.qll#SensitiveVariableAccess
- SensitiveActions.qll#CleartextPasswordExpr
- Connect.qll#Connect::ServerDefinition
- Restify.qll#Restify::ServerDefinition
- Connect.qll#Connect::RouteSetup
- Express.qll#Express::RouteSetup
- Fastify.qll#Fastify::RouteSetup
- Hapi.qll#Hapi::RouteSetup
- Koa.qll#Koa::RouteSetup
- Restify.qll#Restify::RouteSetup
- NodeJSLib.qll#NodeJSLib::RouteSetup
- Express.qll#Express::StandardRouteHandler
- Express.qll#Express::SetCookie
- Hapi.qll#Hapi::RouteHandler
- HTTP.qll#HTTP::Servers::StandardHeaderDefinition
- HTTP.qll#Servers::StandardHeaderDefinition
- Hapi.qll#Hapi::ServerDefinition
- Koa.qll#Koa::AppDefinition
- SensitiveActions.qll#SensitiveCall
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added support for TypeScript 4.8.
- A model for the
mermaid
library has been added. XSS queries can now detect flow through therender
method of themermaid
library.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The utility files previously in the
semmle.javascript.security.performance
package have been moved to thesemmle.javascript.security.regexp
package.
The previous files still exist as deprecated aliases.
- Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Fixed that top-level
for await
statements would produce a syntax error. These statements are now parsed correctly.
- The
chownr
library is now modeled as a sink for thejs/path-injection
query. - Improved modeling of sensitive data sources, so common words like
certain
andsecretary
are no longer considered a certificate and a secret (respectively). - The
gray-matter
library is now modeled as a sink for thejs/code-injection
query.
- Added support for TypeScript 4.7.
- All new ECMAScript 2022 features are now supported.
- The
isLibaryFile
predicate fromClassifyFiles.qll
has been renamed toisLibraryFile
to fix a typo.
- The
ReflectedXss
,StoredXss
,XssThroughDom
, andExceptionXss
modules fromXss.qll
have been deprecated.
Use theCustomizations.qll
file belonging to the query instead.
- The cash library is now modelled as an alias for JQuery.
Sinks and sources from cash should now be handled by all XSS queries. - Added the
Selection
api as a DOM text source in thejs/xss-through-dom
query. - The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
- The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
- The following predicates on
API::Node
have been changed so as not to include the receiver. The receiver should now only be accessed viagetReceiver()
.getParameter(int i)
previously included the receiver wheni = -1
getAParameter()
previously included the receivergetLastParameter()
previously included the receiver for calls with no arguments
- Some predicates from
DefUse.qll
,DataFlow.qll
,TaintTracking.qll
,DOM.qll
,Definitions.qll
that weren't used by any query have been deprecated. The documentation for each predicate points to an alternative. - Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Added support for TypeScript 4.6.
- Added sources from the
jszip
library to thejs/zipslip
query.
- The
codeql/javascript-upgrades
CodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/javascript-all
CodeQL pack.
- TypeScript 4.5 is now supported.