- Added django URLs to detected "safe" URL patterns in
js/unsafe-external-link.
- Lower the security severity of log-injection to medium.
- Increase the security severity of XSS to high.
- Added modeling for importing
express-rate-limitusing a named import.
- Added the
AmdModuleDefinition::Rangeclass, making it possible to define custom aliases for the AMDdefinefunction.
No user-facing changes.
- Fixed an extractor crash that could occur in projects containing TypeScript files larger than 10 MB.
- Files larger than 10 MB are no longer be extracted or analyzed.
- Imports can now be resolved in more cases, where a non-constant string expression is passed to a
require()call.
- Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias.
No user-facing changes.
No user-facing changes.
- The
fs/promisespackage is now recognised as an alias forrequire('fs').promises. - The
js/path-injectionquery can now track taint through calls topath.join()with a spread argument, such aspath.join(baseDir, ...args).
- The query "Arbitrary file write during zip extraction ("Zip Slip")" (
js/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
- Fixed an issue where calls to a method named
searchwould lead to false positive alerts related to regular expressions. This happened when the call was incorrectly seen as a call toString.prototype.search, since this function converts its first argument to a regular expression. The analysis is now more restrictive about when to treatsearchcalls as regular expression sinks.
- Added taint sources from the
@actions/coreand@actions/githubpackages. - Added command-injection sinks from the
@actions/execpackage.
- The
js/indirect-command-line-injectionquery no longer flags command arguments that cannot be interpreted as a shell string. - The
js/unsafe-deserializationquery no longer flags deserialization through thejs-yamllibrary, except when it is used with an unsafe schema. - The Forge module in
CryptoLibraries.qllnow correctly classifies SHA-512/224, SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
- Fixed a spurious diagnostic warning about comments in JSON files being illegal. Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.
- Improved the call graph to better handle the case where a function is stored on
a plain object and subsequently copied to a new host object via an
extendcall.
- Fixes an issue that would cause TypeScript extraction to hang in rare cases when extracting code containing recursive generic type aliases.
- The
DisablingCertificateValidation.qlquery has been updated to checkcreateServerfromhttpsfor disabled certificate validation. - Improved the model of jQuery to account for XSS sinks where the HTML string
is provided via a callback. This may lead to more results for the
js/xssquery. - The
js/weak-cryptographic-algorithmquery now flags cryptograhic operations using a weak block mode, such as AES-ECB.
- Fixed a bug where a destructuring pattern could not be parsed if it had a property
named
getorsetwith a default value.
No user-facing changes.
- The following queries now recognize HTML sanitizers as propagating taint:
js/sql-injection,js/path-injection,js/server-side-unvalidated-url-redirection,js/client-side-unvalidated-url-redirection, andjs/request-forgery.
- The
js/regex-injectionquery now recognizes environment variables and command-line arguments as sources.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert.
No user-facing changes.
No user-facing changes.
- Added support for
@hapi/glueand Hapi plugins to theframeworks/Hapi.qlllibrary.
- Fixed a bug that would cause the extractor to crash when an
importtype is used in theextendsclause of aninterface. - Fixed an issue with multi-line strings in YAML files being associated with an invalid location, causing alerts related to such strings to appear at the top of the YAML file.
- Added a new query,
js/second-order-command-line-injection, to detect shell commands that may execute arbitrary code when the user has control over the arguments to a command-line program. This currently flags up unsafe invocations of git and hg.
- Added sources for user defined path and query parameters in
Next.js. - The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
- Removed some false positives from the
js/file-system-racequery by requiring that the file-check dominates the file-access. - Improved taint tracking through
JSON.stringifyin cases where a tainted value is stored somewhere in the input object.
No user-facing changes.
- Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.
- The
js/regexp/always-matchesquery will no longer report an empty regular expression as always matching, as this is often the intended behavior.
- The alert message of many queries have been changed to make the message consistent with other languages.
- Fixed a bug in the
js/type-confusion-through-parameter-tamperingquery that would cause it to ignore sanitizers in branching conditions. The query should now report fewer false positives.
- Added a new query,
py/suspicious-regexp-range, to detect character ranges in regular expressions that seem to match too many characters.
- A new query "Case-sensitive middleware path" (
js/case-sensitive-middleware-path) has been added. It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/javascript-allpackage.
- The
js/resource-exhaustionquery no longer treats the 3-argument version ofBuffer.fromas a sink, since it does not allocate a new buffer.
- The
js/actions/command-injectionquery has been added. It highlights GitHub Actions workflows that may allow an attacker to execute arbitrary code in the workflow. The query previously existed an experimental query. - A new query
js/insecure-temporary-filehas been added. The query detects the creation of temporary files that may be accessible by others users. The query is not run by default.
- The
js/missing-origin-checkquery has been added. It highlights "message" event handlers that do not check the origin of the event.
The query previously existed as the experimentaljs/missing-postmessageorigin-verificationquery.
- The call graph now deals more precisely with calls to accessors (getters and setters). Previously, calls to static accessors were not resolved, and some method calls were incorrectly seen as calls to an accessor. Both issues have been fixed.
- The
js/resource-exhaustionquery has been added. It highlights locations where an attacker can cause a large amount of resources to be consumed. The query previously existed as an experimental query.
- Improved handling of custom DOM elements, potentially leading to more alerts for the XSS queries.
- Improved taint tracking through calls to the
Array.prototype.reducefunction.
- Fixed an issue that would sometimes prevent the data-flow analysis from finding flow paths through a function that stores its result on an object. This may lead to more results for the security queries.
- A new query,
js/functionality-from-untrusted-source, has been added to the query suite. It finds DOM elements that load functionality from untrusted sources, likescriptoriframeelements usinghttplinks. The query is run by default.
- The
js/request-forgeryquery previously flagged both server-side and client-side request forgery, but these are now handled by two different queries:js/request-forgeryis now specific to server-side request forgery. Its precision has been raised tohighand is now shown by default (it was previously in thesecurity-extendedsuite).js/client-side-request-forgeryis specific to client-side request forgery. This is technically a new query but simply flags a subset of what the old query did. This has precisionmediumand is part of thesecurity-extendedsuite.
- Added dataflow through the
snapdragonlibrary.
- A new query,
js/unsafe-code-construction, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution. The query is not run by default. - A new query
js/file-system-racehas been added. The query detects when there is time between a file being checked and used. The query is not run by default. - A new query
js/jwt-missing-verificationhas been added. The query detects applications that don't verify JWT tokens. - The
js/insecure-dependencyquery has been added. It detects dependencies that are downloaded using an unencrypted connection.
- A new query
js/samesite-none-cookiehas been added. The query detects when the SameSite attribute is set to None on a sensitive cookie. - A new query
js/empty-password-in-configuration-filehas been added. The query detects empty passwords in configuration files. The query is not run by default.
- Support for handlebars templates has improved. Raw interpolation tags of the form
{{& ... }}are now recognized, as well as whitespace-trimming tags like{{~ ... }}. - Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are
expressandfastify. js/missing-token-validationhas been made more precise, yielding both fewer false positives and more true positives.
- TypeScript 4.5 is now supported.
- The
js/sensitive-get-queryquery has been added. It highlights GET requests that read sensitive information from the query string. - The
js/insufficient-key-sizequery has been added. It highlights the creation of cryptographic keys with a short key size. - The
js/session-fixationquery has been added. It highlights servers that reuse a session after a user has logged in.