Skip to content

Commit 4a459c8

Browse files
asgerfasgerf
authored
Merge pull request github#3755 from esbena/js/polish-imcs
JS: polish js/incomplete-html-attribute-sanitization
2 parents eca5e2d + d4ad9a8 commit 4a459c8

File tree

3 files changed

+3
-17
lines changed

3 files changed

+3
-17
lines changed

change-notes/1.25/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@
4242
| Storage of sensitive information in build artifact (`js/build-artifact-leak`) | security, external/cwe/cwe-312 | Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default. |
4343
| Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
4444
| Resource exhaustion (`js/resource-exhaustion`) | security, external/cwe/cwe-770 | Highlights operations that may cause the resources of the application to be exhausted. Results are shown on LGTM by default. |
45+
| Incomplete multi-character sanitization (`js/incomplete-multi-character-sanitization`) | correctness, security, external/cwe/cwe-20, external/cwe/cwe-116 | Highlights sanitizers that fail to remove dangerous substrings completely. Results are shown on LGTM by default. |
4546

4647
## Changes to existing queries
4748

javascript/config/suites/javascript/security

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
+ semmlecode-javascript-queries/Security/CWE-094/CodeInjection.ql: /Security/CWE/CWE-094
2020
+ semmlecode-javascript-queries/Security/CWE-094/UnsafeDynamicMethodAccess.ql: /Security/CWE/CWE-094
2121
+ semmlecode-javascript-queries/Security/CWE-116/IncompleteSanitization.ql: /Security/CWE/CWE-116
22+
+ semmlecode-javascript-queries/Security/CWE-116/IncompleteMultiCharacterSanitization.ql: /Security/CWE/CWE-116
2223
+ semmlecode-javascript-queries/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql: /Security/CWE/CWE-116
2324
+ semmlecode-javascript-queries/Security/CWE-116/DoubleEscaping.ql: /Security/CWE/CWE-116
2425
+ semmlecode-javascript-queries/Security/CWE-134/TaintedFormatString.ql: /Security/CWE/CWE-134

javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.qhelp

Lines changed: 1 addition & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,22 +3,6 @@
33
"qhelp.dtd">
44
<qhelp>
55

6-
<overview>
7-
8-
</overview>
9-
10-
<recommendation>
11-
12-
</recommendation>
13-
14-
<example>
15-
16-
</example>
17-
18-
<references>
19-
20-
<li>OWASP Top 10: <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">A1 Injection</a>.</li>
21-
22-
</references>
6+
<include src="IncompleteSanitization.qhelp" />
237

248
</qhelp>

0 commit comments

Comments
 (0)