Merge pull request #2235 from max-schaefer/js/issue-2233

Approved by esbena

Author: semmle-qlci

change-notes/1.23/analysis-javascript.md

@@ -44,6 +44,7 @@
 | Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
 | Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
+| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
 
 ## Changes to QL libraries
 

javascript/ql/src/Expressions/UnknownDirective.ql

@@ -13,6 +13,8 @@ import javascript
 from Directive d
 where
   not d instanceof KnownDirective and
+  // ignore ":" pseudo-directive sometimes seen in dual-use shell/node.js scripts
+  not d.getExpr().getStringValue() = ":" and
   // but exclude attribute top-levels: `<a href="javascript:'some-attribute-string'">`
   not d.getParent() instanceof CodeInAttribute
 select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)") + "'."

javascript/ql/test/query-tests/Expressions/UnknownDirective/dual-use.js

@@ -0,0 +1,4 @@
+#!/bin/sh
+":" //# ; exec /usr/bin/env node "$0" "$@"
+
+console.log('javascript');