Skip to content

Commit 6908c54

Browse files
author
Esben Sparre Andreasen
committed
JS: change notes
1 parent 364ba1b commit 6908c54

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

change-notes/1.21/analysis-javascript.md

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,15 @@
1717

1818
| **Query** | **Expected impact** | **Change** |
1919
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
20-
| Expression has no effect | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
21-
| Useless assignment to property | Fewer false-positive results | This rule now ignores reads of additional getters. |
2220
| Arbitrary file write during zip extraction ("Zip Slip") | More results | This rule now considers more libraries, including tar as well as zip. |
23-
| Client-side URL redirect | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
21+
| Client-side URL redirect | More results and fewer false-positive results | This rule now recognizes additional uses of the document URL. This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
22+
| Double escaping or unescaping | More results | This rule now considers the flow of regular expressions literals. |
23+
| Expression has no effect | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
24+
| Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals. |
25+
| Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
2426
| Server-side URL redirect | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
27+
| Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
2528

2629
## Changes to QL libraries
30+
31+
* `RegExpLiteral` is now a `DataFlow::SourceNode`.

0 commit comments

Comments
 (0)