Catch up with recent change notes

Author: Dave Bartolomeo

python/ql/lib/change-notes/2021-11-15-model-wsgiref-simple-server-app.md

@@ -0,0 +1,5 @@
+---
+category: majorAnalysis
+tags: [lgtm,codescanning]
+---
+* Added modeling of `wsgiref.simple_server` applications, leading to new remote flow sources.

python/ql/lib/change-notes/2021-11-16-os-stat.md

@@ -0,0 +1,5 @@
+---
+category: majorAnalysis
+tags: [lgtm,codescanning]
+---
+* Added modeling of `os.stat`, `os.lstat`, `os.statvfs`, `os.fstat`, and `os.fstatvfs`, which are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.

python/ql/lib/change-notes/2021-11-16-posixpath.md

@@ -0,0 +1,5 @@
+---
+category: majorAnalysis
+tags: [lgtm,codescanning]
+---
+* Added modeling of the `posixpath`, `ntpath`, and `genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.

python/ql/src/change-notes/2021-11-12-fix-pyhton-query-ids.md

@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+tags: [lgtm,codescanning]
+---
+* Fixed the query ids of two queries that are meant for manual exploration: `python/count-untrusted-data-external-api` and `python/untrusted-data-to-external-api` have been changed to `py/count-untrusted-data-external-api` and `py/untrusted-data-to-external-api`.

ruby/ql/src/change-notes/2021-11-04-csrf-protection-disabled.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+tags: [lgtm,codescanning]
+---
+* A new query (`rb/csrf-protection-disabled`) has been added. The query finds cases where cross-site forgery protection is explictly disabled.

ruby/ql/src/change-notes/2021-11-09-request-forgery.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+tags: [lgtm,codescanning]
+---
+* A new query (`rb/request-forgery`) has been added. The query finds HTTP requests made with user-controlled URLs.