|
4 | 4 |
|
5 | 5 | * TypeScript 3.8 is now supported. |
6 | 6 |
|
7 | | -* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`). |
| 7 | +* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`). |
8 | 8 |
|
9 | 9 | * Resolution of imports has improved, leading to more results from the security queries: |
10 | 10 | - Imports with the `.js` extension can now be resolved to a TypeScript file, |
11 | | - when the import refers to a file generated by TypeScript. |
| 11 | + when the import refers to a file generated by TypeScript. |
12 | 12 | - Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved. |
13 | 13 | - Export declarations of the form `export * as ns from "x"` are now analyzed more precisely. |
14 | 14 |
|
15 | 15 | * The analysis of sanitizers has improved, leading to more accurate results from the security queries. |
16 | 16 | In particular: |
17 | | - - Sanitizer guards now act across function boundaries in more cases. |
18 | | - - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value. |
| 17 | + - Sanitizer guards now act across function boundaries in more cases. |
| 18 | + - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value. |
19 | 19 |
|
20 | 20 | * Call graph construction has been improved, leading to more results from the security queries: |
21 | | - - Calls can now be resolved to indirectly-defined class members in more cases. |
22 | | - - Calls through partial invocations such as `.bind` can now be resolved in more cases. |
| 21 | + - Calls can now be resolved to indirectly-defined class members in more cases. |
| 22 | + - Calls through partial invocations such as `.bind` can now be resolved in more cases. |
23 | 23 |
|
24 | 24 | * Support for flow summaries has been more clearly marked as being experimental and moved to the new `experimental` folder. |
25 | 25 |
|
|
74 | 74 | | **Query** | **Expected impact** | **Change** | |
75 | 75 | |--------------------------------|------------------------------|---------------------------------------------------------------------------| |
76 | 76 | | Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. | |
77 | | -| Duplicate parameter names (`js/duplicate-parameter-name`) | Fewer results | This query now recognizes additional parameters that reasonably can have duplicated names. | |
| 77 | +| Duplicate parameter names (`js/duplicate-parameter-name`) | Fewer results | This query now ignores additional parameters that reasonably can have duplicated names. | |
78 | 78 | | Expression has no effect (`js/useless-expression`) | Fewer false positive results | The query now recognizes block-level flow type annotations and ignores the first statement of a try block. | |
79 | | -| Identical operands (`js/redundant-operation`) | Fewer results | This query now recognizes cases where the operands change a value using ++/-- expressions. | |
80 | | -| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes additional cases where a single replacement is likely to be intentional. | |
| 79 | +| Identical operands (`js/redundant-operation`) | Fewer results | This query now excludes cases where the operands change a value using ++/-- expressions. | |
| 80 | +| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes and excludes additional cases where a single replacement is likely to be intentional. | |
81 | 81 | | Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes more variations of URL scheme checks. | |
82 | 82 | | Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. | |
83 | | -| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now recognizes cases where a function uses the `Function.arguments` value to process a variable number of parameters. | |
| 83 | +| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now excludes cases where a function uses the `Function.arguments` value to process a variable number of parameters. | |
84 | 84 | | Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. | |
85 | 85 | | Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. | |
86 | 86 | | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. | |
87 | 87 | | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. | |
88 | 88 | | Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. | |
89 | | -| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. | |
90 | | -| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes escapes in strings and regular expression literals. | |
| 89 | +| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes and excludes additional cases that do not require secure hashing. | |
| 90 | +| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes between escapes in strings and regular expression literals. | |
91 | 91 |
|
92 | 92 | ## Changes to libraries |
93 | 93 |
|
|
97 | 97 | that combine taint-tracking and flow labels. |
98 | 98 | - Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label. |
99 | 99 | - Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object. |
100 | | - To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer. |
| 100 | + To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer. |
0 commit comments