- Added a new query,
js/insecure-helmet-configuration, to detect instances where Helmet middleware is configured with important security features disabled.
- Added a new query,
js/functionality-from-untrusted-domain, which detects uses in HTML and JavaScript scripts from untrusted domains, including thepolyfill.iocontent delivery network- it can be extended to detect other compromised scripts using user-provided data extensions of the
untrustedDomainpredicate, which takes one string argument with the domain to warn on (and will warn on any subdomains too).
- it can be extended to detect other compromised scripts using user-provided data extensions of the
- Modified existing query,
js/functionality-from-untrusted-source, to allow adding this new query, but reusing the same logic- Added the ability to use data extensions to require SRI on CDN hostnames using the
isCdnDomainWithCheckingRequiredpredicate, which takes one string argument of the full hostname to require SRI for.
- Added the ability to use data extensions to require SRI on CDN hostnames using the
- Created a new library,
semmle.javascript.security.FunctionalityFromUntrustedSource, to support both queries.