github
diff --git a/‎change-notes/1.20/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.20/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.20/analysis-javascript.md‎
Lines changed: 5 additions & 2 deletions b/‎change-notes/1.20/analysis-javascript.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Macro.qll‎
Lines changed: 23 additions & 7 deletions b/‎cpp/ql/src/semmle/code/cpp/Macro.qll‎
Lines changed: 23 additions & 7 deletions
diff --git a/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs‎
Lines changed: 1 addition & 1 deletion b/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs‎
Lines changed: 1 addition & 1 deletion b/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs‎
Lines changed: 6 additions & 5 deletions b/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs‎
Lines changed: 12 additions & 13 deletions b/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs‎
Lines changed: 12 additions & 13 deletions
@@ -17,6 +17,7 @@
 
 ## Changes to code extraction
 
+* Fix extraction of `for` statements where the condition declares new variables using `is`.
 * Initializers of `stackalloc` arrays are now extracted.
 
 ## Changes to QL libraries
 
@@ -2,7 +2,7 @@
 
 ## General improvements
 
-* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
+* Support for popular libraries has been improved. Consequently, queries may produce better results on code bases that use the following features:
   - client-side code, for example [React](https://reactjs.org/)
   - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie)
   - server-side code, for example [hapi](https://hapijs.com/)
@@ -18,15 +18,18 @@
 | Incomplete regular expression for hostnames (`js/incomplete-hostname-regexp`) | correctness, security, external/cwe/cwe-020 |  Highlights hostname sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default.|
 | Incomplete URL substring sanitization | correctness, security, external/cwe/cwe-020 | Highlights URL sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results shown on LGTM by default. |
 | Incorrect suffix check (`js/incorrect-suffix-check`) | correctness, security, external/cwe/cwe-020 | Highlights error-prone suffix checks based on `indexOf`, indicating a potential violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
+| Loop iteration skipped due to shifting (`js/loop-iteration-skipped-due-to-shifting`) | correctness | Highlights code that removes an element from an array while iterating over it, causing the loop to skip over some elements. Results are shown on LGTM by default. |
 | Useless comparison test (`js/useless-comparison-test`) | correctness | Highlights code that is unreachable due to a numeric comparison that is always true or always false. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
 | **Query**                                  | **Expected impact**          | **Change**                                                                   |
 |--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
-| Client-side cross-site scripting           | More results                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection. |
+| Client-side cross-site scripting           | More true-positive results, fewer false-positive results.                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection, and no longer flags certain safe uses of jQuery. |
 | Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
+| Uncontrolled data used in network request  | More results                 | This rule now recognizes host values that are vulnerable to injection. |
 | Unused parameter                           | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
 | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |
+| Uncontrolled data used in path expression | Fewer false-positive results | This rule now recognizes the Express `root` option, which prevents path traversal. |
 
 ## Changes to QL libraries
@@ -55,10 +55,18 @@ class Macro extends PreprocessorDirective, @ppd_define {
 }
 
 /**
- * A macro access (macro expansion or other macro access).
+ * A macro access.  For example:
+ * ```
+ * #ifdef MACRO1     // this line contains a MacroAccess
+ *   int x = MACRO2; // this line contains a MacroAccess
+ * #endif
+ * ```
+ * 
+ * See also `MacroInvocation`, which represents only macro accesses
+ * that are expanded (such as in the second line of the example above).
  */
 class MacroAccess extends Locatable, @macroinvocation {
-  /** Gets the macro being invoked. */
+  /** Gets the macro that is being accessed. */
   Macro getMacro() { macroinvocations(underlyingElement(this),unresolveElement(result),_,_) }
 
   /**
@@ -73,7 +81,7 @@ class MacroAccess extends Locatable, @macroinvocation {
   }
 
   /**
-   * Gets the location of this macro invocation. For a nested invocation, where
+   * Gets the location of this macro access. For a nested access, where
    * `exists(this.getParentInvocation())`, this yields a location either inside
    * a `#define` directive or inside an argument to another macro.
    */
@@ -126,14 +134,22 @@ class MacroAccess extends Locatable, @macroinvocation {
 
   override string toString() { result = this.getMacro().getHead() }
 
-  /** Gets the name of the invoked macro. */
+  /** Gets the name of the accessed macro. */
   string getMacroName() {
     result = getMacro().getName()
   }
 }
 
 /**
- * A macro invocation (macro expansion).
+ * A macro invocation (macro access that is expanded).  For example:
+ * ```
+ * #ifdef MACRO1
+ *   int x = MACRO2; // this line contains a MacroInvocation
+ * #endif
+ * ```
+ * 
+ * See also `MacroAccess`, which also represents macro accesses where the macro
+ * is checked but not expanded (such as in the first line of the example above).
  */
 class MacroInvocation extends MacroAccess {
   MacroInvocation() {
@@ -174,7 +190,7 @@ class MacroInvocation extends MacroAccess {
   /**
    * Gets the top-level expression associated with this macro invocation,
    * if any. Note that this predicate will fail if the top-level expanded
-   * element is a statement rather than an expression.
+   * element is not an expression (for example if it is a statement).
    */
   Expr getExpr() {
     result = getAnExpandedElement() and
@@ -185,7 +201,7 @@ class MacroInvocation extends MacroAccess {
   /**
    * Gets the top-level statement associated with this macro invocation, if
    * any. Note that this predicate will fail if the top-level expanded
-   * element is an expression rather than a statement.
+   * element is not a statement (for example if it is an expression).
    */
   Stmt getStmt() {
     result = getAnExpandedElement() and
 
@@ -58,7 +58,7 @@ public override void Populate()
             }
             else
             {
-                Context.ModelError(symbol, "Undhandled accessor kind");
+                Context.ModelError(symbol, "Unhandled accessor kind");
                 return;
             }
 
 
@@ -118,7 +118,7 @@ public override IId Id
                     if (symbol.IsStatic) tb.Append("static");
                     tb.Append(ContainingType);
                     AddParametersToId(Context, tb, symbol);
-                    tb.Append("; constructor");
+                    tb.Append(";constructor");
                 });
             }
         }
 
@@ -30,12 +30,13 @@ public override void Populate()
             Context.Emit(Tuples.events(this, symbol.GetName(), ContainingType, type.TypeRef, Create(Context, symbol.OriginalDefinition)));
 
             var adder = symbol.AddMethod;
-            if (adder != null)
-                EventAccessor.Create(Context, adder);
-
             var remover = symbol.RemoveMethod;
-            if (remover != null)
-                EventAccessor.Create(Context, remover);
+
+            if (!(adder is null))
+                Method.Create(Context, adder);
+
+            if (!(remover is null))
+                Method.Create(Context, remover);
 
             ExtractModifiers();
             BindComments();
 
@@ -117,17 +117,19 @@ public static ExprKind UnaryOperatorKind(Context cx, ExprKind originalKind, Expr
         public void OperatorCall(ExpressionSyntax node)
         {
             var @operator = cx.GetSymbolInfo(node);
-            var method = @operator.Symbol as IMethodSymbol;
-
-            if (GetCallType(cx, node) == CallType.Dynamic)
+            if (@operator.Symbol is IMethodSymbol method)
             {
-                UserOperator.OperatorSymbol(method.Name, out string operatorName);
-                cx.Emit(Tuples.dynamic_member_name(this, operatorName));
-                return;
-            }
 
-            if (method != null)
+                var callType = GetCallType(cx, node);
+                if (callType == CallType.Dynamic)
+                {
+                    UserOperator.OperatorSymbol(method.Name, out string operatorName);
+                    cx.Emit(Tuples.dynamic_member_name(this, operatorName));
+                    return;
+                }
+
                 cx.Emit(Tuples.expr_call(this, Method.Create(cx, method)));
+            }
         }
 
         public enum CallType
@@ -148,12 +150,9 @@ public static CallType GetCallType(Context cx, ExpressionSyntax node)
         {
             var @operator = cx.GetSymbolInfo(node);
 
-            if (@operator.Symbol != null)
+            if (@operator.Symbol is IMethodSymbol method)
             {
-                var method = @operator.Symbol as IMethodSymbol;
-
-                var containingSymbol = method.ContainingSymbol as ITypeSymbol;
-                if (containingSymbol != null && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)
+                if (method.ContainingSymbol is ITypeSymbol containingSymbol && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)
                 {
                     return CallType.Dynamic;
                 }
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ public override void Populate()`
`58`	`58`	`}`
`59`	`59`	`else`
`60`	`60`	`{`
`61`		`- Context.ModelError(symbol, "Undhandled accessor kind");`
	`61`	`+ Context.ModelError(symbol, "Unhandled accessor kind");`
`62`	`62`	`return;`
`63`	`63`	`}`
`64`	`64`
Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ public override IId Id`
`118`	`118`	`if (symbol.IsStatic) tb.Append("static");`
`119`	`119`	`tb.Append(ContainingType);`
`120`	`120`	`AddParametersToId(Context, tb, symbol);`
`121`		`- tb.Append("; constructor");`
	`121`	`+ tb.Append(";constructor");`
`122`	`122`	`});`
`123`	`123`	`}`
`124`	`124`	`}`
Original file line number	Diff line number	Diff line change
`@@ -117,17 +117,19 @@ public static ExprKind UnaryOperatorKind(Context cx, ExprKind originalKind, Expr`
`117`	`117`	`public void OperatorCall(ExpressionSyntax node)`
`118`	`118`	`{`
`119`	`119`	`var @operator = cx.GetSymbolInfo(node);`
`120`		`- var method = @operator.Symbol as IMethodSymbol;`
`121`		`-`
`122`		`- if (GetCallType(cx, node) == CallType.Dynamic)`
	`120`	`+ if (@operator.Symbol is IMethodSymbol method)`
`123`	`121`	`{`
`124`		`- UserOperator.OperatorSymbol(method.Name, out string operatorName);`
`125`		`- cx.Emit(Tuples.dynamic_member_name(this, operatorName));`
`126`		`- return;`
`127`		`- }`
`128`	`122`
`129`		`- if (method != null)`
	`123`	`+ var callType = GetCallType(cx, node);`
	`124`	`+ if (callType == CallType.Dynamic)`
	`125`	`+ {`
	`126`	`+ UserOperator.OperatorSymbol(method.Name, out string operatorName);`
	`127`	`+ cx.Emit(Tuples.dynamic_member_name(this, operatorName));`
	`128`	`+ return;`
	`129`	`+ }`
	`130`	`+`
`130`	`131`	`cx.Emit(Tuples.expr_call(this, Method.Create(cx, method)));`
	`132`	`+ }`
`131`	`133`	`}`
`132`	`134`
`133`	`135`	`public enum CallType`
`@@ -148,12 +150,9 @@ public static CallType GetCallType(Context cx, ExpressionSyntax node)`
`148`	`150`	`{`
`149`	`151`	`var @operator = cx.GetSymbolInfo(node);`
`150`	`152`
`151`		`- if (@operator.Symbol != null)`
	`153`	`+ if (@operator.Symbol is IMethodSymbol method)`
`152`	`154`	`{`
`153`		`- var method = @operator.Symbol as IMethodSymbol;`
`154`		`-`
`155`		`- var containingSymbol = method.ContainingSymbol as ITypeSymbol;`
`156`		`- if (containingSymbol != null && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)`
	`155`	`+ if (method.ContainingSymbol is ITypeSymbol containingSymbol && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)`
`157`	`156`	`{`
`158`	`157`	`return CallType.Dynamic;`
`159`	`158`	`}`