github
diff --git a/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 10 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.cpp‎
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.cpp‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Include.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/Include.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/Parameter.qll‎
Lines changed: 4 additions & 3 deletions b/‎cpp/ql/src/semmle/code/cpp/Parameter.qll‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/controlflow/Dereferenced.qll‎
Lines changed: 11 additions & 33 deletions b/‎cpp/ql/src/semmle/code/cpp/controlflow/Dereferenced.qll‎
Lines changed: 11 additions & 33 deletions
@@ -26,5 +26,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 * The models library now models many taint flows through `std::istream` and `std::ostream`.
 * The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
 * The models library now models many taint flows through `std::pair`, `std::map`, `std::unordered_map`, `std::set` and `std::unordered_set`.
+* The models library now models `bcopy`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
@@ -2,10 +2,15 @@
 
 ## General improvements
 
+* Angular-specific taint sources and sinks are now recognized by the security queries.
+
 * Support for the following frameworks and libraries has been improved:
+  - [@angular/*](https://www.npmjs.com/package/@angular/core)
   - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
   - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
+  - [debounce](https://www.npmjs.com/package/debounce)
   - [bluebird](https://www.npmjs.com/package/bluebird)
+  - [call-limit](https://www.npmjs.com/package/call-limit)
   - [express](https://www.npmjs.com/package/express)
   - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
   - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
@@ -15,11 +20,15 @@
   - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
   - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
   - [json3](https://www.npmjs.com/package/json3)
+  - [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
   - [lodash](https://www.npmjs.com/package/lodash)
+  - [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
+  - [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
   - [needle](https://www.npmjs.com/package/needle)
   - [object-inspect](https://www.npmjs.com/package/object-inspect)
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
+  - [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
   - [underscore](https://www.npmjs.com/package/underscore)
 
 * Analyzing files with the ".cjs" extension is now supported.
@@ -43,6 +52,7 @@
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
 | Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
+| Missing CSRF middleware (`js/missing-token-validation`) | Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
 
 
 ## Changes to libraries
 
@@ -4,3 +4,5 @@ long j = i * i; //Wrong: due to overflow on the multiplication between ints,
 
 long k = (long) i * i; //Correct: the multiplication is done on longs instead of ints, 
                        //and will not overflow
+
+long l = static_cast<long>(i) * i; //Correct: modern C++
@@ -21,7 +21,7 @@ class Include extends PreprocessorDirective, @ppd_include {
 
   /**
    * Gets the token which occurs after `#include`, for example `"filename"`
-   * or `&lt;filename>`.
+   * or `<filename>`.
    */
   string getIncludeText() { result = getHead() }
 
 
@@ -36,7 +36,7 @@ class Parameter extends LocalScopeVariable, @parameter {
    *  1. The name given to the parameter at the function's definition or
    *     (for catch block parameters) at the catch block.
    *  2. A name given to the parameter at a function declaration.
-   *  3. The name "p#i" where i is the index of the parameter.
+   *  3. The name "(unnamed parameter i)" where i is the index of the parameter.
    */
   override string getName() {
     exists(VariableDeclarationEntry vde |
@@ -46,7 +46,7 @@ class Parameter extends LocalScopeVariable, @parameter {
     )
     or
     not exists(getANamedDeclarationEntry()) and
-    result = "p#" + this.getIndex().toString()
+    result = "(unnamed parameter " + this.getIndex().toString() + ")"
   }
 
   override string getAPrimaryQlClass() { result = "Parameter" }
@@ -111,7 +111,8 @@ class Parameter extends LocalScopeVariable, @parameter {
    * Holds if this parameter has a name.
    *
    * In other words, this predicate holds precisely when the result of
-   * `getName()` is not "p#i" (where `i` is the index of the parameter).
+   * `getName()` is not "(unnamed parameter i)" (where `i` is the index
+   * of the parameter).
    */
   predicate isNamed() { exists(getANamedDeclarationEntry()) }
 
 
@@ -4,47 +4,25 @@
 
 import cpp
 import Nullness
+import semmle.code.cpp.models.interfaces.ArrayFunction
 
 /**
  * Holds if the call `fc` will dereference argument `i`.
  */
 predicate callDereferences(FunctionCall fc, int i) {
-  exists(string name |
-    fc.getTarget().hasGlobalOrStdName(name) and
+  exists(ArrayFunction af |
+    fc.getTarget() = af and
     (
-      name = "bcopy" and i in [0 .. 1]
-      or
-      name = "memcpy" and i in [0 .. 1]
-      or
-      name = "memmove" and i in [0 .. 1]
-      or
-      name = "strcpy" and i in [0 .. 1]
-      or
-      name = "strncpy" and i in [0 .. 1]
-      or
-      name = "strdup" and i = 0
-      or
-      name = "strndup" and i = 0
-      or
-      name = "strlen" and i = 0
-      or
-      name = "printf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "fprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "sprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "snprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "vprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "vfprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "vsprintf" and fc.getArgument(i).getType() instanceof PointerType
-      or
-      name = "vsnprintf" and fc.getArgument(i).getType() instanceof PointerType
+      af.hasArrayInput(i) or
+      af.hasArrayOutput(i)
     )
   )
+  or
+  exists(FormattingFunction ff |
+    fc.getTarget() = ff and
+    i >= ff.getFirstFormatArgumentIndex() and
+    fc.getArgument(i).getType() instanceof PointerType
+  )
 }
 
 /**