CodeQL 2.8.2 (2022-02-28)¶

Add more classes to Netty request/response splitting. Change identification to java/netty-http-request-or-response-splitting. Identify request splitting differently from response splitting in query results. Support additional classes:

• io.netty.handler.codec.http.CombinedHttpHeaders

• io.netty.handler.codec.http.DefaultHttpRequest

• io.netty.handler.codec.http.DefaultFullHttpRequest

Added dataflow through the snapdragon library.

A new query titled “Local information disclosure in a temporary directory” (java/local-temp-file-or-directory-information-disclosure) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.

A new query, js/functionality-from-untrusted-source, has been added to the query suite. It finds DOM elements that load functionality from untrusted sources, like script or iframe elements using http links. The query is run by default.

The query “LDAP query built from user-controlled sources” (py/ldap-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @jorgectf.

The query “Log Injection” (py/log-injection) has been promoted from experimental to the main query pack. Its results will now appear when security-extended is used. This query was originally submitted as an experimental query by @haby0.

Added a new query, rb/clear-text-logging-sensitive-data. The query finds cases where sensitive information, such as user credentials, are logged as cleartext.

The precision of hardcoded credentials queries (cs/hardcoded-credentials and cs/hardcoded-connection-string-credentials) have been downgraded to medium.

The js/request-forgery query previously flagged both server-side and client-side request forgery, but these are now handled by two different queries:

• js/request-forgery is now specific to server-side request forgery. Its precision has been raised to high and is now shown by default (it was previously in the security-extended suite).

• js/client-side-request-forgery is specific to client-side request forgery. This is technically a new query but simply flags a subset of what the old query did. This has precision medium and is part of the security-extended suite.

The CodeDuplication.Copy, CodeDuplication.DuplicateBlock, and CodeDuplication.SimilarBlock classes have been deprecated.

Added FileSystemWriteAccess concept to model data written to the filesystem.

The old points-to based modeling has been deprecated. Use the new type-tracking/API-graphs based modeling instead.

Added a isStructuredBinding predicate to the Variable class which holds when the variable is declared as part of a structured binding declaration.

Added predicates ClassOrInterface.getAPermittedSubtype and isSealed exposing information about sealed classes.