Merge pull request #150 from asger-semmle/ts-asi-bug

Approved by xiemaisi

Author: semmle-qlci

change-notes/1.18/analysis-javascript.md

@@ -107,9 +107,12 @@
 | Hard-coded credentials | More true-positive results | This rule now recognizes secret cryptographic keys. |
 | Incomplete string escaping or encoding | Better name, more true-positive results | This rule has been renamed to more clearly reflect its purpose. Also, it now recognizes incomplete URL encoding and decoding. |
 | Insecure randomness | More true-positive results | This rule now recognizes secret cryptographic keys. |
+| Misleading indentation after control statement | Fewer results | This rule temporarily ignores TypeScript files. |
 | Missing rate limiting | More true-positive results, fewer false-positive results | This rule now recognizes additional rate limiters and expensive route handlers. | 
 | Missing X-Frame-Options HTTP header | Fewer false-positive results | This rule now treats header names case-insensitively. |
+| Omitted array element | Fewer results | This rule temporarily ignores TypeScript files. |
 | Reflected cross-site scripting | Fewer false-positive results | This rule now treats header names case-insensitively. |
+| Semicolon insertion | Fewer results | This rule temporarily ignores TypeScript files. |
 | Server-side URL redirect | More true-positive results | This rule now treats header names case-insensitively. |
 | Superfluous trailing arguments | Fewer false-positive results | This rule now ignores calls to some empty functions. |
 | Type confusion through parameter tampering | Fewer false-positive results | This rule no longer flags emptiness checks. |

javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql

@@ -45,4 +45,5 @@ class OmittedArrayElement extends ArrayExpr {
 }
 
 from OmittedArrayElement ae
+where not ae.getFile().getFileType().isTypeScript() // ignore quirks in TypeScript tokenizer
 select ae, "Avoid omitted array elements."

javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql

@@ -36,7 +36,8 @@ where s.hasSemicolonInserted() and
       asi = strictcount(Stmt ss | asi(sc, ss, true)) and
       nstmt = strictcount(Stmt ss | asi(sc, ss, _)) and
       perc = ((1-asi/nstmt)*100).floor() and
-      perc >= 90
+      perc >= 90 and
+      not s.getFile().getFileType().isTypeScript() // ignore some quirks in the TypeScript tokenizer
 select (LastLineOf)s, "Avoid automated semicolon insertion " +
                       "(" + perc + "% of all statements in $@ have an explicit semicolon).",
                       sc, "the enclosing " + sctype

javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql

@@ -39,6 +39,7 @@ where misleadingIndentationCandidate(ctrl, s1, s2) and
       f.hasIndentation(ctrlStartLine, indent, _) and
       f.hasIndentation(startLine1, indent, _) and
       f.hasIndentation(startLine2, indent, _) and
-      not s2 instanceof EmptyStmt
+      not s2 instanceof EmptyStmt and
+      not f.getFileType().isTypeScript() // ignore quirks in TypeScript tokenizer
 select (FirstLineOf)s2, "The indentation of this statement suggests that it is controlled by $@, while in fact it is not.",
             (FirstLineOf)ctrl, "this statement"

javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/template_literal.ts

@@ -0,0 +1,12 @@
+function foo(arg) {
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(arg);
+  console.log(`Unknown option '${arg}'.`);
+}