JavaScript: Add change note and comment.

jcreedcmu · jcreedcmu · commit 8124980f5859 · 2019-03-15T09:32:39.000-04:00
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -19,5 +19,6 @@
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
 | Expression has no effect       | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
 | Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
+| ZipSlip                        | More results                 | This rule now considers more libraries, including tar as well as zip. |
 
 ## Changes to QL libraries
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll
@@ -60,7 +60,11 @@ module ZipSlip {
   }
 
   /** Gets a property that is used to get the filename part of an archive entry. */
-  private string getAFilenameProperty() { result = "path" or result = "name" }
+  private string getAFilenameProperty() {
+    result = "path" // Used by library 'unzip'.
+    or
+    result = "name" // Used by library 'tar-stream'.
+  }
 
   /** An archive entry path access, as a source for unsafe archive extraction. */
   class UnzipEntrySource extends Source {
