Merge branch 'master' into csharp/maybe-null-path-query

Author: hvitved

change-notes/1.20/analysis-csharp.md

@@ -17,6 +17,7 @@
 
 ## Changes to code extraction
 
+* Fix extraction of `for` statements where the condition declares new variables using `is`.
 * Initializers of `stackalloc` arrays are now extracted.
 
 ## Changes to QL libraries

change-notes/1.20/analysis-javascript.md

@@ -2,7 +2,7 @@
 
 ## General improvements
 
-* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
+* Support for popular libraries has been improved. Consequently, queries may produce better results on code bases that use the following features:
   - client-side code, for example [React](https://reactjs.org/)
   - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie)
   - server-side code, for example [hapi](https://hapijs.com/)
@@ -15,6 +15,7 @@
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Double escaping or unescaping (`js/double-escaping`) | correctness, security, external/cwe/cwe-116 | Highlights potential double escaping or unescaping of special characters, indicating a possible violation of [CWE-116](https://cwe.mitre.org/data/definitions/116.html). Results are shown on LGTM by default. |
+| Incomplete regular expression for hostnames (`js/incomplete-hostname-regexp`) | correctness, security, external/cwe/cwe-020 |  Highlights hostname sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default.|
 | Incomplete URL substring sanitization | correctness, security, external/cwe/cwe-020 | Highlights URL sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results shown on LGTM by default. |
 | Incorrect suffix check (`js/incorrect-suffix-check`) | correctness, security, external/cwe/cwe-020 | Highlights error-prone suffix checks based on `indexOf`, indicating a potential violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
 | Useless comparison test (`js/useless-comparison-test`) | correctness | Highlights code that is unreachable due to a numeric comparison that is always true or always false. Results are shown on LGTM by default. |
@@ -23,9 +24,11 @@
 
 | **Query**                                  | **Expected impact**          | **Change**                                                                   |
 |--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
-| Client-side cross-site scripting           | More results                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection. |
+| Client-side cross-site scripting           | More true-positive results, fewer false-positive results.                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection, and no longer flags certain safe uses of jQuery. |
 | Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
+| Uncontrolled data used in network request  | More results                 | This rule now recognizes host values that are vulnerable to injection. |
 | Unused parameter                           | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
 | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |
+| Uncontrolled data used in path expression | Fewer false-positive results | This rule now recognizes the Express `root` option, which prevents path traversal. |
 
 ## Changes to QL libraries

cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll

@@ -159,17 +159,6 @@ predicate shellCommandPreface(string cmd, string flag) {
   )
 }
 
-/**
- * An array element. This supports multiple kinds of array syntax.
- */
-private predicate arrayElement(Expr arrayLit, int idx, Expr element) {
-  exists (ArrayLiteral lit | lit = arrayLit |
-    lit.getElement(idx) = element)
-  or exists (MessageExpr arrayWithObjects | arrayWithObjects = arrayLit |
-    arrayWithObjects.getStaticTarget().getQualifiedName().matches("NSArray%::+arrayWithObjects:") and
-    arrayWithObjects.getArgument(idx) = element)
-}
-
 /**
  * A command that is used as a command, or component of a command,
  * that will be executed by a general-purpose command interpreter

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs

@@ -117,17 +117,19 @@ public static ExprKind UnaryOperatorKind(Context cx, ExprKind originalKind, Expr
         public void OperatorCall(ExpressionSyntax node)
         {
             var @operator = cx.GetSymbolInfo(node);
-            var method = @operator.Symbol as IMethodSymbol;
-
-            if (GetCallType(cx, node) == CallType.Dynamic)
+            if (@operator.Symbol is IMethodSymbol method)
             {
-                UserOperator.OperatorSymbol(method.Name, out string operatorName);
-                cx.Emit(Tuples.dynamic_member_name(this, operatorName));
-                return;
-            }
 
-            if (method != null)
+                var callType = GetCallType(cx, node);
+                if (callType == CallType.Dynamic)
+                {
+                    UserOperator.OperatorSymbol(method.Name, out string operatorName);
+                    cx.Emit(Tuples.dynamic_member_name(this, operatorName));
+                    return;
+                }
+
                 cx.Emit(Tuples.expr_call(this, Method.Create(cx, method)));
+            }
         }
 
         public enum CallType
@@ -148,12 +150,9 @@ public static CallType GetCallType(Context cx, ExpressionSyntax node)
         {
             var @operator = cx.GetSymbolInfo(node);
 
-            if (@operator.Symbol != null)
+            if (@operator.Symbol is IMethodSymbol method)
             {
-                var method = @operator.Symbol as IMethodSymbol;
-
-                var containingSymbol = method.ContainingSymbol as ITypeSymbol;
-                if (containingSymbol != null && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)
+                if (method.ContainingSymbol is ITypeSymbol containingSymbol && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)
                 {
                     return CallType.Dynamic;
                 }