CodeQL query help for JavaScript and TypeScript¶
Visit the articles below to see the documentation for the queries included in the following query suites:
default: queries run by default in CodeQL code scanning on GitHub.security-extended: queries fromdefault, plus extra security queries with slightly lower precision and severity.security-and-quality: queries fromdefault,security-extended, plus extra maintainability and reliability queries.
These queries are published in the CodeQL query pack codeql/javascript-queries (changelog, source).
For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.
- Access to let-bound variable in temporal dead zone
- Arbitrary file access during archive extraction (”Zip Slip”)
- Arguments redefined
- Arrow method on Vue instance
- Assignment to constant
- Assignment to exports variable
- Assignment to property of primitive value
- Back reference into negative lookahead assertion
- Back reference precedes capture group
- Bad HTML filtering regexp
- CORS misconfiguration for credentials transfer
- Call to eval-like DOM function
- Case-sensitive middleware path
- Clear text storage of sensitive information
- Clear text transmission of sensitive cookie
- Clear-text logging of sensitive information
- Client-side URL redirect
- Client-side cross-site scripting
- Client-side request forgery
- Code injection
- Comparison between inconvertible types
- Comparison with NaN
- Conditional comments
- Conflicting function declarations
- Conflicting variable initialization
- Creating biased random numbers from a cryptographically secure source
- Cross-window communication with unrestricted target origin
- DOM text reinterpreted as HTML
- Database query built from user-controlled sources
- Default parameter references nested function
- Deleting non-property
- Dependency download using unencrypted communication channel
- Dependency mismatch
- Deserialization of user-controlled data
- Direct state mutation
- Disabling Electron webSecurity
- Disabling SCE
- Disabling certificate validation
- Double compilation
- Double escaping or unescaping
- Download of sensitive file through insecure connection
- Duplicate ‘if’ condition
- Duplicate HTML element attributes
- Duplicate character in character class
- Duplicate dependency
- Duplicate parameter names
- Duplicate property
- Duplicate switch case
- Duplicate variable declaration
- Empty character class
- Empty password in configuration file
- Enabling Electron allowRunningInsecureContent
- Exception text reinterpreted as HTML
- Exposure of private files
- Expression has no effect
- Expression injection in Actions
- Failure to abandon session
- File data in outbound network request
- Hard-coded credentials
- Hard-coded data interpreted as code
- Host header poisoning in email generation
- Identical operands
- Ignoring result from pure array method
- Illegal invocation
- Implicit operand conversion
- Improper code sanitization
- Inclusion of functionality from an untrusted source
- Incompatible dependency injection
- Incomplete HTML attribute sanitization
- Incomplete URL scheme check
- Incomplete URL substring sanitization
- Incomplete multi-character sanitization
- Incomplete regular expression for hostnames
- Incomplete string escaping or encoding
- Inconsistent direction of for loop
- Inconsistent use of ‘new’
- Incorrect suffix check
- Indirect uncontrolled command line
- Ineffective parameter type
- Inefficient regular expression
- Information exposure through a stack trace
- Insecure URL whitelist
- Insecure configuration of Helmet security middleware
- Insecure randomness
- Insecure temporary file
- Invalid prototype value
- Invocation of non-function
- JWT missing secret or public key verification
- Log injection
- Loop bound injection
- Loop iteration skipped due to shifting
- Malformed id attribute
- Misleading indentation after control statement
- Misleading indentation of dangling ‘else’
- Missing ‘.length’ in comparison
- Missing ‘this’ qualifier
- Missing CSRF middleware
- Missing await
- Missing explicit dependency injection
- Missing exports qualifier
- Missing origin verification in
postMessagehandler - Missing rate limiting
- Missing regular expression anchor
- Missing space in string concatenation
- Missing variable declaration
- Misspelled variable name
- Network data written to file
- Non-case label in switch statement
- Non-linear pattern
- Off-by-one comparison against length
- Overly permissive regular expression range
- Overwritten property
- Password in configuration file
- Polynomial regular expression used on uncontrolled data
- Potential file system race condition
- Potentially inconsistent state update
- Property access on null or undefined
- Prototype-polluting assignment
- Prototype-polluting function
- Prototype-polluting merge call
- Reflected cross-site scripting
- Regular expression always matches
- Regular expression injection
- Remote property injection
- Repeated dependency injection
- Replacement of a substring with itself
- Resource exhaustion
- Resources exhaustion from deep object traversal
- Return statement assigns local variable
- Second order command injection
- Self assignment
- Semicolon insertion
- Sensitive cookie without SameSite restrictions
- Sensitive data read from GET request
- Sensitive server cookie exposed to the client
- Server crash
- Server-side URL redirect
- Server-side request forgery
- Shell command built from environment values
- Shift out of range
- Storage of sensitive information in GitHub Actions artifact
- Storage of sensitive information in build artifact
- Stored cross-site scripting
- String instead of regular expression
- Superfluous trailing arguments
- Suspicious method name declaration
- Syntax error
- Template Object Injection
- Template syntax in string literal
- Type confusion through parameter tampering
- Unbound back reference
- Unbound event handler receiver
- Unclear precedence of nested operators
- Uncontrolled command line
- Uncontrolled data used in path expression
- Unknown directive
- Unmatchable caret in regular expression
- Unmatchable dollar in regular expression
- Unnecessary use of
catprocess - Unneeded defensive code
- Unreachable method overloads
- Unreachable statement
- Unsafe HTML constructed from library input
- Unsafe code constructed from library input
- Unsafe dynamic method access
- Unsafe expansion of self-closing HTML tag
- Unsafe jQuery plugin
- Unsafe shell command constructed from library input
- Unsupported state update in lifecycle method
- Untrusted domain used in script or other content
- Unused index variable
- Unused loop iteration variable
- Unused or undefined state property
- Unused variable, import, function or class
- Unvalidated dynamic method call
- Use of AngularJS markup in URL-valued attribute
- Use of a broken or weak cryptographic algorithm
- Use of a weak cryptographic key
- Use of call stack introspection in strict mode
- Use of externally-controlled format string
- Use of for-in comprehension blocks
- Use of incompletely initialized object
- Use of password hash with insufficient computational effort
- Use of platform-specific language features
- Use of returnless function
- Useless assignment to local variable
- Useless assignment to property
- Useless comparison test
- Useless conditional
- Useless regular-expression character escape
- Useless return in setter
- Useless type test
- User-controlled bypass of security check
- Variable not declared before use
- Whitespace contradicts operator precedence
- With statement
- Wrong use of ‘this’ for static method
- XML external entity expansion
- XML internal entity expansion
- XPath injection
- Yield in non-generator function