- Data passed to the NextResponse constructor is now treated as a sink for
js/reflected-xss. - Data received from NextRequest and Request is now treated as a remote user input
source. - Added support for the
make-dirpackage. - Added support for the
openpackage. - Added taint propagation for
Uint8Array,ArrayBuffer,SharedArrayBufferandTextDecoder.decode(). - Improved detection of
WebSocketandSockJSusage. - Added data received from
WebSocketclients as a remote flow source. - Added support for additional
mkdirpmethods as sinks in path-injection queries. - Added support for additional
rimrafmethods as sinks in path-injection queries.
- Extraction now supports regular expressions with the
vflag, using the new operators:- Intersection
&& - Subtraction
-- \qquoted string
- Intersection
- Added support for TypeScript 5.8.
- Added support for additional
fs-extramethods as sinks in path-injection queries. - Added support for the newer version of
Hapiwith the@hapi/hapiimport andserverfunction. - Improved modeling of the
node:fsmodule:await-ed calls toreadandreadFileare now supported. - Added support for the
@sap/hana-client,@sap/hdbextandhdbpackages. - Enhanced
axiossupport with new methods (postForm,putForm,patchForm,getUri,create) and added support forinterceptors.requestandinterceptors.response. - Improved support for
gotpackage withOptions,paginate()andextend() - Added support for the
ApolloServerclass from@apollo/serverand similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input. - Improved support for
superagentto handle the case where the package is directly called as a function, or via the.del()or.agent()method. - Added support for the
underscore.stringpackage. - Added additional flow step for
unescape()andescape(). - Added support for the
@tanstack/vue-querypackage. - Added taint-steps for
unescape(). - Added support for the
@tanstack/angular-query-experimentalpackage. - Improved support for the
@angular/common/httppackage, detecting outgoing HTTP requests in more cases. - Improved the modeling of the
markdown-tablepackage to ensure it handles nested arrays properly. - Added support for the
react-relaylibrary.
No user-facing changes.
- Added support for the
responsethreat model kind, which can enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint. - Added support for the
useQueryhook from@tanstack/react-query.
- The
response.download()function inexpressis now recognized as a sink for path traversal attacks.
- Added support for regular expressions using the
vflag.
- Added new XSS sink where
innerHTMLorouterHTMLis assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
- Custom data flow queries will need to be migrated in order to use the shared data flow library. Until migrated, such queries will compile with deprecation warnings and run with a deprecated copy of the old data flow library. The deprecation layer will be removed in early 2026, after which any unmigrated queries will stop working. See more information in the migration guide.
- All data flow queries are now using the same underlying data flow library as the other languages analyses, replacing the old one written specifically for JavaScript/TypeScript. This is a significant change and users may consequently observe differences in the alerts generated by the analysis.
- The sensitive data library has been improved so that
snake_casestyle variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
No user-facing changes.
- The
js/incomplete-sanitizationquery now also checks regular expressions constructed usingnew RegExp(..). Previously it only checked regular expression literals. - Regular expression-based sanitisers implemented with
new RegExp(..)are now detected in more cases. - Regular expression related queries now account for unknown flags.
- Added taint-steps for
String.prototype.toWellFormed. - Added taint-steps for
Map.groupByandObject.groupBy. - Added taint-steps for
Array.prototype.findLast. - Added taint-steps for
Array.prototype.findLastIndex.
- Added taint-steps for
Array.prototype.with. - Added taint-steps for
Array.prototype.toSpliced - Added taint-steps for
Array.prototype.toReversed. - Added taint-steps for
Array.prototype.toSorted. - Added support for
String.prototype.matchAll. - Added taint-steps for
Array.prototype.reverse
- Added support for custom threat-models, which can be used in most of our taint-tracking queries, see our documentation for more details.
No user-facing changes.
No user-facing changes.
- Deleted the deprecated
isHTMLElementandgetDOMNamepredicates from the JSX library, useisHtmlElementandgetDomNamerespectively instead. - Deleted the deprecated
getPackageJSONpredicate from theSourceMappingCommentclass, useSourceMappingCommentinstead. - Deleted many deprecated directives from the
Stmt.qllfile, use theDirective::module instead. - Deleted the deprecated
YAMLNode,YAMLValue, andYAMLScalarclasses from the YAML libraries, useYamlNode,YamlValue, andYamlScalarrespectively instead. - Deleted the deprecated
getARouteHandlerExprpredicate fromConnect.qll, usegetARouteHandlerNodeinstead. - Deleted the deprecated
getGWTVersionpredicate fromGWT.qll, usegetGwtVersioninstead. - Deleted the deprecated
getOwnOptionsObjectpredicate fromVue.qll, usegetOwnOptions().getASink()instead.
- Added support for TypeScript 5.6.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added support for TypeScript 5.5.
- Enabled type-tracking to follow content through array methods
- Improved modeling of
Array.prototype.splicefor when it is called with more than two arguments
No user-facing changes.
No user-facing changes.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
- Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared
SensitiveDataHeuristics.qlllibrary. This may result in additional results for queries that use sensitive data such asjs/clear-text-storage-sensitive-dataandjs/clear-text-logging.
- Fixed a bug where very large TypeScript files would cause database creation to crash. Large files over 10MB were already excluded from analysis, but the file size check was not applied to TypeScript files.
No user-facing changes.
- Deleted the deprecated
getInputpredicate from theCryptographicOperationclass. UsegetAnInputinstead. - Deleted the deprecated
RegExpPatternsmodule fromRegexp.qll. - Deleted the deprecated
semmle/javascript/security/BadTagFilterQuery.qll,semmle/javascript/security/OverlyLargeRangeQuery.qll,semmle/javascript/security/regexp/RegexpMatching.qll, andSecurity/CWE-020/HostnameRegexpShared.qllfiles.
- Improved detection of whether a file uses CommonJS module system.
No user-facing changes.
- Added support for TypeScript 5.4.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.
No user-facing changes.
- Deleted many deprecated predicates and classes with uppercase
CPU,TLD,SSA,ASMetc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getMessageSuffixpredicates inCodeInjectionCustomizations.qll. - Deleted the deprecated
semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedData.qllfile. - Deleted the deprecated
getANonHtmlHeaderDefinitionandnonHtmlContentTypeHeaderpredicates fromReflectedXssCustomizations.qll. - Deleted the deprecated
semmle/javascript/security/OverlyLargeRangeQuery.qll,semmle/javascript/security/regexp/ExponentialBackTracking.qll,semmle/javascript/security/regexp/NfaUtils.qll, andsemmle/javascript/security/regexp/NfaUtils.qllfiles. - Deleted the deprecated
Expressions/TypoDatabase.qllfile. - The diagnostic query
js/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned JavaScript and TypeScript files, now considers any JavaScript and TypeScript file seen during extraction, even one with some errors, to be extracted / scanned.
No user-facing changes.
No user-facing changes.
- Added models for the
sqliteandbetter-sqlite3npm packages. - TypeScript 5.3 is now supported.
No user-facing changes.
No user-facing changes.
- The contents of
.jspfiles are now extracted, and any<script>tags inside these files will be parsed as JavaScript. - Import attributes are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named
getImportAttributes()that should be used in favor of the now deprecatedgetImportAssertion(); in addition, thegetImportAttributes()method of theDynamicImportExprhas been renamed togetImportOptions(). - Deleted the deprecated
getAnImmediateUse,getAUse,getARhs, andgetAValueReachingRhspredicates from theAPI::Nodeclass. - Deleted the deprecated
mayReferToParameterpredicate fromDataFlow::Node. - Deleted the deprecated
getStaticMethodandgetAStaticMethodpredicates fromDataFlow::ClassNode. - Deleted the deprecated
isLibaryFilepredicate fromClassifyFiles.qll, useisLibraryFileinstead. - Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
- Deleted the deprecated
semmle.javascript.security.performancefolder, usesemmle.javascript.security.regexpinstead. - Tagged template literals have been added to
DataFlow::CallNode. This allows the analysis to find flow into functions called with a tagged template literal, and the arguments to a tagged template literal are part of the API-graph inApiGraphs.qll.
No user-facing changes.
No user-facing changes.
- Added support for TypeScript 5.2.
No user-facing changes.
- Added
log-injectionas a customizable sink kind for log injection.
No user-facing changes.
- Added models for the Webix Framework.
No user-facing changes.
- Added support for TypeScript 5.1.
- Deleted many deprecated predicates and classes with uppercase
XML,JSON,URL,API, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
localTaintSteppredicate fromDataFlow.qll. - Deleted the deprecated
stringStep, andlocalTaintSteppredicates fromTaintTracking.qll. - Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
- Deleted the deprecated
HtmlInjectionConfigurationandJQueryHtmlOrSelectorInjectionConfigurationclasses fromDomBasedXssQuery.qll, useConfigurationinstead. - Deleted the deprecated
DefiningIdentifierclass and theDefinitions.qllfile it was in. UseSsaDefinitioninstead. - Deleted the deprecated
definitionReaches,localDefinitionReaches,getAPseudoDefinitionInput,nextDefAfter, andlocalDefinitionOverwritespredicates fromDefUse.qll. - Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
command-line-injectiontocommand-injectioncredentials[kind]tocredentials-kind
- Added a support of sub modules in
node_modules.
- Improved the queries for injection vulnerabilities in GitHub Actions workflows (
js/actions/command-injectionandjs/actions/pull-request-target) and the associated librarysemmle.javascript.Actions. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections inactions/github-script. It also detects simple injections from user controlled${{ env.name }}. Additionally to theymlextension now it also supports workflows with theyamlextension.
- The Yaml.qll library was moved into a shared library pack named
codeql/yamlto make it possible for other languages to re-use it. This change should be backwards compatible for existing JavaScript queries.
- Added support for TypeScript 5.0.
router.pushandrouter.replaceinNext.jsare now considered as XSS sink.- The crypto-js module in
CryptoLibraries.qllnow supports progressive hashing with algo.update().
No user-facing changes.
- Deleted the deprecated
getPathandgetFolderpredicates from theXmlFileclass. - Deleted the deprecated
getIdfrom theFunction,NamespaceDefinition, andImportEqualsDeclarationclasses. - Deleted the deprecated
flowsTopredicate from theHTTP::Servers::RequestSourceandHTTP::Servers::ResponseSourceclass. - Deleted the deprecated
getEventNamepredicate from theSocketIO::ReceiveNode,SocketIO::SendNode,SocketIOClient::SendNodeclasses. - Deleted the deprecated
RateLimitedRouteHandlerExprandRouteHandlerExpressionWithRateLimiterclasses. - Import assertions are now supported. Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.
- The
CryptographicOperationconcept has been changed to use a range pattern. This is a breaking change and existing implementations ofCryptographicOperationwill need to be updated in order to compile. These implementations can be updated by:- Extending
CryptographicOperation::Rangerather thanCryptographicOperation - Renaming the
getInput()member predicate asgetAnInput() - Implementing the
BlockMode getBlockMode()member predicate. The implementation for this can benone()if the operation is a hashing operation or an encryption operation using a stream cipher.
- Extending
- Added dataflow sources for the express-ws library.
- Added sinks from the
node-ptylibrary to thejs/code-injectionquery.
No user-facing changes.
- Improved support for Restify framework, leading to more results when scanning applications developed with this framework.
- Added support for the Spife framework.
- Deleted the deprecated
Instanceclass from theVuemodule. - Deleted the deprecated
VHtmlSourceWriteclass fromDomBasedXssQuery.qll. - Deleted all the deprecated
[QueryName].qllfiles from thejavascript/ql/lib/semmle/javascript/security/dataflowfolder, use the corresponding[QueryName]Query.qllfiles instead. - The ReDoS libraries in
semmle.code.javascript.security.regexphas been moved to a shared pack inside theshared/folder, and the previous location has been deprecated.
No user-facing changes.
No user-facing changes.
- Added support for TypeScript 4.9.
No user-facing changes.
No user-facing changes.
- Several of the SQL and NoSQL library models have improved, leading to more results for the
js/sql-injectionquery, and in some cases thejs/missing-rate-limitingquery.
-
Many library models have been rewritten to use dataflow nodes instead of the AST. The types of some classes have been changed, and these changes may break existing code. Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
-
The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break. The fix to these breakages is usually to use
asExpr()to get an expression from a dataflow node, or to use.flow()to get a dataflow node from an expression.- DOM.qll#WebStorageWrite
- CryptoLibraries.qll#CryptographicOperation
- Express.qll#Express::RequestBodyAccess
- HTTP.qll#HTTP::ResponseBody
- HTTP.qll#HTTP::CookieDefinition
- HTTP.qll#HTTP::ServerDefinition
- HTTP.qll#HTTP::RouteSetup
- NoSQL.qll#NoSql::Query
- SQL.qll#SQL::SqlString
- SQL.qll#SQL::SqlSanitizer
- HTTP.qll#ResponseBody
- HTTP.qll#CookieDefinition
- HTTP.qll#ServerDefinition
- HTTP.qll#RouteSetup
- HTTP.qll#HTTP::RedirectInvocation
- HTTP.qll#RedirectInvocation
- Express.qll#Express::RouterDefinition
- AngularJSCore.qll#LinkFunction
- Connect.qll#Connect::StandardRouteHandler
- CryptoLibraries.qll#CryptographicKeyCredentialsExpr
- AWS.qll#AWS::Credentials
- Azure.qll#Azure::Credentials
- Connect.qll#Connect::Credentials
- DigitalOcean.qll#DigitalOcean::Credentials
- Express.qll#Express::Credentials
- NodeJSLib.qll#NodeJSLib::Credentials
- PkgCloud.qll#PkgCloud::Credentials
- Request.qll#Request::Credentials
- ServiceDefinitions.qll#InjectableFunctionServiceRequest
- SensitiveActions.qll#SensitiveVariableAccess
- SensitiveActions.qll#CleartextPasswordExpr
- Connect.qll#Connect::ServerDefinition
- Restify.qll#Restify::ServerDefinition
- Connect.qll#Connect::RouteSetup
- Express.qll#Express::RouteSetup
- Fastify.qll#Fastify::RouteSetup
- Hapi.qll#Hapi::RouteSetup
- Koa.qll#Koa::RouteSetup
- Restify.qll#Restify::RouteSetup
- NodeJSLib.qll#NodeJSLib::RouteSetup
- Express.qll#Express::StandardRouteHandler
- Express.qll#Express::SetCookie
- Hapi.qll#Hapi::RouteHandler
- HTTP.qll#HTTP::Servers::StandardHeaderDefinition
- HTTP.qll#Servers::StandardHeaderDefinition
- Hapi.qll#Hapi::ServerDefinition
- Koa.qll#Koa::AppDefinition
- SensitiveActions.qll#SensitiveCall
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added support for TypeScript 4.8.
- A model for the
mermaidlibrary has been added. XSS queries can now detect flow through therendermethod of themermaidlibrary.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The utility files previously in the
semmle.javascript.security.performancepackage have been moved to thesemmle.javascript.security.regexppackage.
The previous files still exist as deprecated aliases.
- Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Fixed that top-level
for awaitstatements would produce a syntax error. These statements are now parsed correctly.
- The
chownrlibrary is now modeled as a sink for thejs/path-injectionquery. - Improved modeling of sensitive data sources, so common words like
certainandsecretaryare no longer considered a certificate and a secret (respectively). - The
gray-matterlibrary is now modeled as a sink for thejs/code-injectionquery.
- Added support for TypeScript 4.7.
- All new ECMAScript 2022 features are now supported.
- The
isLibaryFilepredicate fromClassifyFiles.qllhas been renamed toisLibraryFileto fix a typo.
- The
ReflectedXss,StoredXss,XssThroughDom, andExceptionXssmodules fromXss.qllhave been deprecated.
Use theCustomizations.qllfile belonging to the query instead.
- The cash library is now modelled as an alias for JQuery.
Sinks and sources from cash should now be handled by all XSS queries. - Added the
Selectionapi as a DOM text source in thejs/xss-through-domquery. - The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
- The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
- The following predicates on
API::Nodehave been changed so as not to include the receiver. The receiver should now only be accessed viagetReceiver().getParameter(int i)previously included the receiver wheni = -1getAParameter()previously included the receivergetLastParameter()previously included the receiver for calls with no arguments
- Some predicates from
DefUse.qll,DataFlow.qll,TaintTracking.qll,DOM.qll,Definitions.qllthat weren't used by any query have been deprecated. The documentation for each predicate points to an alternative. - Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Added support for TypeScript 4.6.
- Added sources from the
jsziplibrary to thejs/zipslipquery.
- The
codeql/javascript-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/javascript-allCodeQL pack.
- TypeScript 4.5 is now supported.