From 0b6cdda3522d50e96ad00d8172c78d58b1e10c2b Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 5 Dec 2018 10:18:48 +0000 Subject: [PATCH 1/9] Remove template text and reorganize sections --- change-notes/1.19/extractor-javascript.md | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/change-notes/1.19/extractor-javascript.md b/change-notes/1.19/extractor-javascript.md index 8aa278e623c5..3377d6c8cc8a 100644 --- a/change-notes/1.19/extractor-javascript.md +++ b/change-notes/1.19/extractor-javascript.md @@ -2,18 +2,6 @@ # Improvements to JavaScript analysis -> NOTES -> -> Please describe your changes in terms that are suitable for -> customers to read. These notes will have only minor tidying up -> before they are published as part of the release notes. -> -> This file is written for lgtm users and should contain *only* -> notes about changes that affect lgtm enterprise users. Add -> any other customer-facing changes to the `studio-java.md` -> file. -> - ## General improvements * On LGTM, files whose name ends in `.min.js` or `-min.js` are no longer extracted by default, since they most likely contain minified code and results in these files would be hidden by default anyway. To extract such files anyway, you can add the following filters to your `lgtm.yml` file (or add them to existing filters): @@ -27,13 +15,12 @@ extraction: - include: "**/*-min.js" ``` -## Changes to code extraction - * The TypeScript compiler is now bundled with the distribution, and no longer needs to be installed manually. Should the compiler version need to be overridden, set the `SEMMLE_TYPESCRIPT_HOME` environment variable to point to an installation of the `typescript` NPM package. +## Changes to code extraction + * The extractor now supports [Optional Chaining](https://github.com/tc39/proposal-optional-chaining) expressions. * The extractor now supports additional [Flow](https://flow.org/) syntax. - From 3f529e194ce6331b30101231ba2e45699453c137 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 5 Dec 2018 11:22:42 +0000 Subject: [PATCH 2/9] Text updates --- change-notes/1.19/analysis-javascript.md | 82 +++++++++++------------ change-notes/1.19/extractor-javascript.md | 11 +-- 2 files changed, 47 insertions(+), 46 deletions(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 2572c5058dd5..44ce4b436eea 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -4,74 +4,74 @@ * Modeling of taint flow through array and buffer operations has been improved. This may give additional results for the security queries. -* Support for AMD modules has been improved. This may give additional results for the security queries as well as any queries that use type inference on code bases that use such modules. +* Support for AMD modules has been improved. This may give additional results for the security queries, as well as any queries that use type inference on code bases that use such modules. * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features: - - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby) - - outbound network access, for example through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) - - the [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries + - File system access, for example, through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby) + - Outbound network access, for example, through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) + - The [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries * The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries. * Type inference for function calls has been improved. This may give additional results for queries that rely on type inference. -* Where applicable, path explanations have been added to the security queries. +* Path explanations have been added to the relevant security queries. +Use [QL for Eclipse](https://help.semmle.com/ql-for-eclipse/Content/WebHelp/getting-started.html) +to run queries and explore the data flow in results. ## New queries | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. | -| File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. | -| Hard-coded data interpreted as code | security, external/cwe/cwe-506 | Highlights locations where hard-coded data is transformed and then executed as code or interpreted as an import path, which may indicate embedded malicious code ([CWE-506](https://cwe.mitre.org/data/definitions/506.html)). Results are not shown on LGTM by default. | -| Host header poisoning in email generation | security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | +| Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are hidden on LGTM by default. | +| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Non-LGTM | +| Hard-coded data interpreted as code (`js/hardcoded-data-interpreted-as-code`) | security, external/cwe/cwe-506 | Highlights locations where hard-coded data is transformed and then executed as code or interpreted as an import path, which may indicate embedded malicious code ([CWE-506](https://cwe.mitre.org/data/definitions/506.html)). Results are hidden on LGTM by default. | +| Host header poisoning in email generation (`js/host-header-forgery-in-email-generation`)| security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. | | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. | | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. | | Unneeded defensive code | correctness, external/cwe/cwe-570, external/cwe/cwe-571 | Highlights locations where defensive code is not needed. Results are shown on LGTM by default. | | Unsafe dynamic method access (`js/unsafe-dynamic-method-access` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. Results are shown on LGTM by default. | | Unvalidated dynamic method access (`js/unvalidated-dynamic-method-call` ) | security, external/cwe/cwe-754 | Highlights code that invokes a user-controlled method without guarding against exceptional circumstances. Results are shown on LGTM by default. | -| Useless assignment to property | maintainability | Highlights property assignments whose value is always overwritten. Results are shown on LGTM by default. | -| User-controlled data in file | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Results are not shown on LGTM by default. | +| Useless assignment to property (`js/useless-assignment-to-property`) | maintainability | Highlights property assignments whose value is always overwritten. Results are shown on LGTM by default. | +| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Non-LGTM | ## Changes to existing queries | **Query** | **Expected impact** | **Change** | |--------------------------------|----------------------------|----------------------------------------------| -| Ambiguous HTML id attribute | Lower severity | The severity of this rule has been revised to "warning". | -| Clear-text logging of sensitive information | Fewer results | This rule now tracks flow more precisely. | -| Client side cross-site scripting | More results | This rule now also flags HTML injection in the body of an email. | -| Client-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. | -| Conflicting HTML element attributes | Lower severity | The severity of this rule has been revised to "warning". | -| Duplicate 'if' condition | Lower severity | The severity of this rule has been revised to "warning". | -| Duplicate switch case | Lower severity | The severity of this rule has been revised to "warning". | -| Inconsistent use of 'new' | Simpler result presentation | This rule now only shows one call with `new` and one without. | -| Information exposure through a stack trace | More results | This rule now also flags cases where the entire exception object (including the stack trace) may be exposed. | -| Missing 'this' qualifier | Fewer false-positive results | This rule now recognizes additional intentional calls to global functions. | -| Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. | -| Missing variable declaration | Lower severity | The severity of this rule has been revised to "warning". | -| Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. | -| Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Furthermore, it no longer flags dynamic method calls, which are now handled by two new queries. Results are no longer shown on LGTM by default. | -| Self assignment | Fewer false-positive results | This rule now ignores self-assignments preceded by a JSDoc comment with a `@type` tag. | -| Server-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. | -| Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. | -| Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. | -| Uncontrolled data used in remote request | More results | This rule now recognizes additional kinds of requests. | -| Unknown directive | Fewer false positives results | This rule now recognizes YUI compressor directives. | -| Unused import | Fewer false-positive results | This rule no longer flags imports used by the `transform-react-jsx` Babel plugin. | -| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that may be used by `eval` calls. | -| Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. | -| Useless assignment to local variable | Fewer false-positive results | This rule now recognizes additional ways default values can be set. | -| Useless conditional | More results, fewer false-positive results | This rule now recognizes conditionals in more cases, but no longer flags certain defensive coding patterns. | -| Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. | -| Wrong use of 'this' for static method | More results, fewer false-positive results | This rule now recognizes inherited methods. | +| Ambiguous HTML id attribute | Lower severity | Severity revised to "warning". | +| Clear-text logging of sensitive information | Fewer results | Query now tracks flow more precisely. | +| Client side cross-site scripting | More results | HTML injection in the body of an email is also highlighted. | +| Client-side URL redirect | Fewer false positive results | Safe redirects recognized in more cases. | +| Conflicting HTML element attributes | Lower severity | Severity revised to "warning". | +| Duplicate 'if' condition | Lower severity | Severity revised to "warning". | +| Duplicate switch case | Lower severity | Severity revised to "warning". | +| Inconsistent use of 'new' | Simpler result presentation | Results show one call with `new` and one without. | +| Information exposure through a stack trace | More results | Cases where the entire exception object (including the stack trace) may be exposed are highlighted. | +| Missing 'this' qualifier | Fewer false positive results | Additional intentional calls to global functions are recognized. | +| Missing CSRF middleware | Fewer false positive results | Additional types of CSRF protection middleware are recognized. | +| Missing variable declaration | Lower severity | Severity revised to "warning". | +| Regular expression injection | Fewer false positive results | Calls to `String.prototype.search` are identified with more precision. | +| Remote property injection | Fewer results | No longer highlights dynamic method calls, which are now handled by two new queries: TODO. The precision of this rule has been revised to "medium", reflecting the precision of the remaining results. Results are now hidden on LGTM by default. | +| Self assignment | Fewer false positive results | Self-assignments preceded by a JSDoc comment with a `@type` tag are no longer highlighted. | +| Server-side URL redirect | More results and fewer false positive results | More redirection calls are identified. More safe redirections are recognized and ignored. | +| Unbound event handler receiver | Fewer false positive results | Additional ways that class methods can be bound are recognized. | +| Uncontrolled data used in remote request | More results | Additional kinds of requests are identified. | +| Unknown directive | Fewer false positives results | YUI compressor directives are now recognized. | +| Unused import | Fewer false positive results | Imports used by the `transform-react-jsx` Babel plugin are no longer highlighted. | +| Unused variable, import, function or class | Fewer false positive results and fewer results | Fewer variables that may be used by `eval` calls are highlighted. Only one result is reported for an import statement with multiple unused imports. | +| Useless assignment to local variable | Fewer false positive results | Additional ways default values can be set are recognized. | +| Useless conditional | More results, fewer false positive results | More types of conditional are recognized. Additional defensive coding patterns are now ignored. | +| Whitespace contradicts operator precedence | Fewer false positive results | Operators with asymmetric whitespace are no longer highlighted. | +| Wrong use of 'this' for static method | More results, fewer false-positive results | Inherited methods are now identified. | ## Changes to QL libraries -* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding dataflow node. +* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding data-flow node. -* `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above. +* `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned below. -* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting. +* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an individual `this` expression. This means that `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode`. Using `getALocalSource` before casting, or instead of casting, is recommended. * The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`). diff --git a/change-notes/1.19/extractor-javascript.md b/change-notes/1.19/extractor-javascript.md index 3377d6c8cc8a..d51b79627e36 100644 --- a/change-notes/1.19/extractor-javascript.md +++ b/change-notes/1.19/extractor-javascript.md @@ -4,7 +4,7 @@ ## General improvements -* On LGTM, files whose name ends in `.min.js` or `-min.js` are no longer extracted by default, since they most likely contain minified code and results in these files would be hidden by default anyway. To extract such files anyway, you can add the following filters to your `lgtm.yml` file (or add them to existing filters): +* On LGTM, files whose name ends in `.min.js` or `-min.js` are no longer extracted by default. These files usually contain minified code and any alerts in these files would be hidden by default. If you still want to extract code from these files, you can add the following filters to your `lgtm.yml` file (or add them to existing filters): ```yaml extraction: @@ -15,12 +15,13 @@ extraction: - include: "**/*-min.js" ``` -* The TypeScript compiler is now bundled with the distribution, and no longer needs to be installed manually. - Should the compiler version need to be overridden, set the `SEMMLE_TYPESCRIPT_HOME` environment variable to +* The TypeScript compiler is now included in the LGTM Enterprise and Ql command-line tools installations, and you no longer need to install it manually. + If you need to override the compiler version, set the `SEMMLE_TYPESCRIPT_HOME` environment variable to point to an installation of the `typescript` NPM package. ## Changes to code extraction -* The extractor now supports [Optional Chaining](https://github.com/tc39/proposal-optional-chaining) expressions. +The extractor now supports: -* The extractor now supports additional [Flow](https://flow.org/) syntax. +* [Optional Chaining](https://github.com/tc39/proposal-optional-chaining) expressions. +* Additional [Flow](https://flow.org/) syntax. From fcce4616d8497d10234ec2a95b4fe013c1666edb Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 5 Dec 2018 11:23:55 +0000 Subject: [PATCH 3/9] Move new non-LGTM queries into separate section --- change-notes/1.19/analysis-javascript.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 44ce4b436eea..f7220dde0123 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -19,12 +19,11 @@ Use [QL for Eclipse](https://help.semmle.com/ql-for-eclipse/Content/WebHelp/getting-started.html) to run queries and explore the data flow in results. -## New queries +## New LGTM queries | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are hidden on LGTM by default. | -| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Non-LGTM | | Hard-coded data interpreted as code (`js/hardcoded-data-interpreted-as-code`) | security, external/cwe/cwe-506 | Highlights locations where hard-coded data is transformed and then executed as code or interpreted as an import path, which may indicate embedded malicious code ([CWE-506](https://cwe.mitre.org/data/definitions/506.html)). Results are hidden on LGTM by default. | | Host header poisoning in email generation (`js/host-header-forgery-in-email-generation`)| security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. | @@ -34,7 +33,14 @@ to run queries and explore the data flow in results. | Unsafe dynamic method access (`js/unsafe-dynamic-method-access` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. Results are shown on LGTM by default. | | Unvalidated dynamic method access (`js/unvalidated-dynamic-method-call` ) | security, external/cwe/cwe-754 | Highlights code that invokes a user-controlled method without guarding against exceptional circumstances. Results are shown on LGTM by default. | | Useless assignment to property (`js/useless-assignment-to-property`) | maintainability | Highlights property assignments whose value is always overwritten. Results are shown on LGTM by default. | -| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Non-LGTM | + +## Other new queries + +| **Query** | **Tags** | **Purpose** | +|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request.| +| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. | + ## Changes to existing queries From a273668cf38919fbd2513bbe7ed5b12a15cecede Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 5 Dec 2018 11:39:34 +0000 Subject: [PATCH 4/9] Add missing query ids --- change-notes/1.19/analysis-javascript.md | 49 ++++++++++++------------ 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index f7220dde0123..2c5e1d11ea7f 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -46,31 +46,30 @@ to run queries and explore the data flow in results. | **Query** | **Expected impact** | **Change** | |--------------------------------|----------------------------|----------------------------------------------| -| Ambiguous HTML id attribute | Lower severity | Severity revised to "warning". | -| Clear-text logging of sensitive information | Fewer results | Query now tracks flow more precisely. | -| Client side cross-site scripting | More results | HTML injection in the body of an email is also highlighted. | -| Client-side URL redirect | Fewer false positive results | Safe redirects recognized in more cases. | -| Conflicting HTML element attributes | Lower severity | Severity revised to "warning". | -| Duplicate 'if' condition | Lower severity | Severity revised to "warning". | -| Duplicate switch case | Lower severity | Severity revised to "warning". | -| Inconsistent use of 'new' | Simpler result presentation | Results show one call with `new` and one without. | -| Information exposure through a stack trace | More results | Cases where the entire exception object (including the stack trace) may be exposed are highlighted. | -| Missing 'this' qualifier | Fewer false positive results | Additional intentional calls to global functions are recognized. | -| Missing CSRF middleware | Fewer false positive results | Additional types of CSRF protection middleware are recognized. | -| Missing variable declaration | Lower severity | Severity revised to "warning". | -| Regular expression injection | Fewer false positive results | Calls to `String.prototype.search` are identified with more precision. | -| Remote property injection | Fewer results | No longer highlights dynamic method calls, which are now handled by two new queries: TODO. The precision of this rule has been revised to "medium", reflecting the precision of the remaining results. Results are now hidden on LGTM by default. | -| Self assignment | Fewer false positive results | Self-assignments preceded by a JSDoc comment with a `@type` tag are no longer highlighted. | -| Server-side URL redirect | More results and fewer false positive results | More redirection calls are identified. More safe redirections are recognized and ignored. | -| Unbound event handler receiver | Fewer false positive results | Additional ways that class methods can be bound are recognized. | -| Uncontrolled data used in remote request | More results | Additional kinds of requests are identified. | -| Unknown directive | Fewer false positives results | YUI compressor directives are now recognized. | -| Unused import | Fewer false positive results | Imports used by the `transform-react-jsx` Babel plugin are no longer highlighted. | -| Unused variable, import, function or class | Fewer false positive results and fewer results | Fewer variables that may be used by `eval` calls are highlighted. Only one result is reported for an import statement with multiple unused imports. | -| Useless assignment to local variable | Fewer false positive results | Additional ways default values can be set are recognized. | -| Useless conditional | More results, fewer false positive results | More types of conditional are recognized. Additional defensive coding patterns are now ignored. | -| Whitespace contradicts operator precedence | Fewer false positive results | Operators with asymmetric whitespace are no longer highlighted. | -| Wrong use of 'this' for static method | More results, fewer false-positive results | Inherited methods are now identified. | +| Ambiguous HTML id attribute (`js/duplicate-html-id`) | Lower severity | Severity revised to "warning". | +| Clear-text logging of sensitive information (`js/clear-text-logging`) | Fewer results | Query now tracks flow more precisely. | +| Client side cross-site scripting (`js/xss`) | More results | HTML injection in the body of an email is also highlighted. | +| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer false positive results | Safe redirects recognized in more cases. | +| Conflicting HTML element attributes (`js/conflicting-html-attribute`) | Lower severity | Severity revised to "warning". | +| Duplicate 'if' condition (`js/duplicate-condition`) | Lower severity | Severity revised to "warning". | +| Duplicate switch case (`js/duplicate-switch-case`) | Lower severity | Severity revised to "warning". | +| Inconsistent use of 'new' (`js/inconsistent-use-of-new`) | Simpler result presentation | Results show one call with `new` and one without. | +| Information exposure through a stack trace (`js/stack-trace-exposure`) | More results | Cases where the entire exception object (including the stack trace) may be exposed are highlighted. | +| Missing 'this' qualifier (`js/missing-this-qualifier`) | Fewer false positive results | Additional intentional calls to global functions are recognized. | +| Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | Additional types of CSRF protection middleware are recognized. | +| Missing variable declaration (`js/missing-variable-declaration`) | Lower severity | Severity revised to "warning". | +| Regular expression injection (`js/regex-injection`) | Fewer false positive results | Calls to `String.prototype.search` are identified with more precision. | +| Remote property injection (`js/remote-property-injection`) | Fewer results | No longer highlights dynamic method calls, which are now handled by two new queries: TODO. The precision of this rule has been revised to "medium", reflecting the precision of the remaining results. Results are now hidden on LGTM by default. | +| Self assignment (`js/redundant-assignment`) | Fewer false positive results | Self-assignments preceded by a JSDoc comment with a `@type` tag are no longer highlighted. | +| Server-side URL redirect (`js/server-side-unvalidated-url-redirection`) | More results and fewer false positive results | More redirection calls are identified. More safe redirections are recognized and ignored. | +| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are recognized. | +| Uncontrolled data used in network request (`js/request-forgery`) | More results | Additional kinds of requests are identified. | +| Unknown directive (`js/unknown-directive`) | Fewer false positives results | YUI compressor directives are now recognized. | +| Unused variable, import, function or class (`js/unused-local-variable`) | Fewer false positive results and fewer results | Imports used by the `transform-react-jsx` Babel plugin and fewer variables that may be used by `eval` calls are highlighted. Only one result is reported for an import statement with multiple unused imports. | +| Useless assignment to local variable (`js/useless-assignment-to-local`) | Fewer false positive results | Additional ways default values can be set are recognized. | +| Useless conditional (`js/trivial-conditional`) | More results, fewer false positive results | More types of conditional are recognized. Additional defensive coding patterns are now ignored. | +| Whitespace contradicts operator precedence (`js/whitespace-contradicts-precedence`) | Fewer false positive results | Operators with asymmetric whitespace are no longer highlighted. | +| Wrong use of 'this' for static method (`js/mixed-static-instance-this-access`) | More results, fewer false-positive results | Inherited methods are now identified. | ## Changes to QL libraries From 610318168ff55a19408756c95c612b242dd5a4b2 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 5 Dec 2018 12:36:03 +0000 Subject: [PATCH 5/9] Fix TODO --- change-notes/1.19/analysis-javascript.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 2c5e1d11ea7f..250d01a9d6d3 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -59,7 +59,7 @@ to run queries and explore the data flow in results. | Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | Additional types of CSRF protection middleware are recognized. | | Missing variable declaration (`js/missing-variable-declaration`) | Lower severity | Severity revised to "warning". | | Regular expression injection (`js/regex-injection`) | Fewer false positive results | Calls to `String.prototype.search` are identified with more precision. | -| Remote property injection (`js/remote-property-injection`) | Fewer results | No longer highlights dynamic method calls, which are now handled by two new queries: TODO. The precision of this rule has been revised to "medium", reflecting the precision of the remaining results. Results are now hidden on LGTM by default. | +| Remote property injection (`js/remote-property-injection`) | Fewer results | No longer highlights dynamic method calls, which are now handled by two new queries: `js/unsafe-dynamic-method-access` and `js/unvalidated-dynamic-method-call`. The precision of this rule has been revised to "medium", reflecting the precision of the remaining results. Results are now hidden on LGTM by default. | | Self assignment (`js/redundant-assignment`) | Fewer false positive results | Self-assignments preceded by a JSDoc comment with a `@type` tag are no longer highlighted. | | Server-side URL redirect (`js/server-side-unvalidated-url-redirection`) | More results and fewer false positive results | More redirection calls are identified. More safe redirections are recognized and ignored. | | Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are recognized. | From 75e9f9f5ca5e6c69935bd2ef3f99d8a103204428 Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 6 Dec 2018 08:25:47 +0000 Subject: [PATCH 6/9] Update change-notes/1.19/analysis-javascript.md Add CWE reference. Co-Authored-By: felicity-semmle --- change-notes/1.19/analysis-javascript.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 250d01a9d6d3..03b7b35548ac 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -38,7 +38,7 @@ to run queries and explore the data flow in results. | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request.| +| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request, possibly indicating a violation of [CWE-200](https://cwe.mitre.org/data/definitions/200.html). | | User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. | From c6945ae0d4e86a3412884750f9ffbbe30611774f Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 6 Dec 2018 08:26:17 +0000 Subject: [PATCH 7/9] Update change-notes/1.19/analysis-javascript.md Add CWE reference Co-Authored-By: felicity-semmle --- change-notes/1.19/analysis-javascript.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 03b7b35548ac..552cddfbddbc 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -39,7 +39,7 @@ to run queries and explore the data flow in results. | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request, possibly indicating a violation of [CWE-200](https://cwe.mitre.org/data/definitions/200.html). | -| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. | +| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-434, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file, possibly indicating a violation of [CWE-912](https://cwe.mitre.org/data/definitions/912.html). | ## Changes to existing queries From 5845a17887d355de0ee9747e64fd7ad22994d319 Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 6 Dec 2018 08:26:37 +0000 Subject: [PATCH 8/9] Update change-notes/1.19/extractor-javascript.md Fix typo Co-Authored-By: felicity-semmle --- change-notes/1.19/extractor-javascript.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-notes/1.19/extractor-javascript.md b/change-notes/1.19/extractor-javascript.md index d51b79627e36..06c7b0cb0cb2 100644 --- a/change-notes/1.19/extractor-javascript.md +++ b/change-notes/1.19/extractor-javascript.md @@ -15,7 +15,7 @@ extraction: - include: "**/*-min.js" ``` -* The TypeScript compiler is now included in the LGTM Enterprise and Ql command-line tools installations, and you no longer need to install it manually. +* The TypeScript compiler is now included in the LGTM Enterprise and QL command-line tools installations, and you no longer need to install it manually. If you need to override the compiler version, set the `SEMMLE_TYPESCRIPT_HOME` environment variable to point to an installation of the `typescript` NPM package. From 9ac8b665a5202b4349e253ce984de203d13354c9 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Thu, 6 Dec 2018 08:32:10 +0000 Subject: [PATCH 9/9] Move non-LGTM query into correct location --- change-notes/1.19/analysis-javascript.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md index 552cddfbddbc..88e44ec0ffed 100644 --- a/change-notes/1.19/analysis-javascript.md +++ b/change-notes/1.19/analysis-javascript.md @@ -23,11 +23,10 @@ to run queries and explore the data flow in results. | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are hidden on LGTM by default. | | Hard-coded data interpreted as code (`js/hardcoded-data-interpreted-as-code`) | security, external/cwe/cwe-506 | Highlights locations where hard-coded data is transformed and then executed as code or interpreted as an import path, which may indicate embedded malicious code ([CWE-506](https://cwe.mitre.org/data/definitions/506.html)). Results are hidden on LGTM by default. | -| Host header poisoning in email generation (`js/host-header-forgery-in-email-generation`)| security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | +| Host header poisoning in email generation (`js/host-header-forgery-in-email-generation`)| security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a potential violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default. | | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. | -| Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. | +| Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a potential violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. | | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. | | Unneeded defensive code | correctness, external/cwe/cwe-570, external/cwe/cwe-571 | Highlights locations where defensive code is not needed. Results are shown on LGTM by default. | | Unsafe dynamic method access (`js/unsafe-dynamic-method-access` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. Results are shown on LGTM by default. | @@ -38,8 +37,9 @@ to run queries and explore the data flow in results. | **Query** | **Tags** | **Purpose** | |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request, possibly indicating a violation of [CWE-200](https://cwe.mitre.org/data/definitions/200.html). | -| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-434, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file, possibly indicating a violation of [CWE-912](https://cwe.mitre.org/data/definitions/912.html). | +| Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094 | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a potential violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). | +| File data in outbound network request (`js/file-access-to-http`) | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request, indicating a potential violation of [CWE-200](https://cwe.mitre.org/data/definitions/200.html). | +| User-controlled data written to file (`js/http-to-file-access`) | security, external/cwe/cwe-434, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file, indicating a potential violation of [CWE-912](https://cwe.mitre.org/data/definitions/912.html). | ## Changes to existing queries