• CodeQL query help documentation »

CodeQL query help for JavaScript

Visit the articles below to see the documentation for the queries included in the following query suites:

• code-scanning: queries run by default in CodeQL code scanning on GitHub.

• security-extended: queries from code-scanning, plus extra security queries with slightly lower precision and severity.

• security-and-quality: queries from code-scanning, security-extended, plus extra maintainability and reliability queries.

For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.

• Access to let-bound variable in temporal dead zone
• Arbitrary file write during zip extraction (”Zip Slip”)
• Arguments redefined
• Arrow method on Vue instance
• Assignment to constant
• Assignment to exports variable
• Assignment to property of primitive value
• Back reference into negative lookahead assertion
• Back reference precedes capture group
• Bad HTML filtering regexp
• CORS misconfiguration for credentials transfer
• Call to eval-like DOM function
• Clear text storage of sensitive information
• Clear text transmission of sensitive cookie
• Clear-text logging of sensitive information
• Client-side URL redirect
• Client-side cross-site scripting
• Code injection
• Comparison between inconvertible types
• Comparison with NaN
• Conditional comments
• Conflicting function declarations
• Conflicting variable initialization
• Creating biased random numbers from a cryptographically secure source.
• Cross-window communication with unrestricted target origin
• DOM text reinterpreted as HTML
• Database query built from user-controlled sources
• Default parameter references nested function
• Deleting non-property
• Dependency mismatch
• Deserialization of user-controlled data
• Direct state mutation
• Disabling Electron webSecurity
• Disabling SCE
• Disabling certificate validation
• Double compilation
• Double escaping or unescaping
• Download of sensitive file through insecure connection
• Duplicate ‘if’ condition
• Duplicate HTML element attributes
• Duplicate character in character class
• Duplicate dependency
• Duplicate parameter names
• Duplicate property
• Duplicate switch case
• Duplicate variable declaration
• Empty character class
• Enabling Electron allowRunningInsecureContent
• Exception text reinterpreted as HTML
• Exposure of private files
• Expression has no effect
• Failure to abandon session
• File data in outbound network request
• Hard-coded credentials
• Hard-coded data interpreted as code
• Host header poisoning in email generation
• Identical operands
• Ignoring result from pure array method
• Illegal invocation
• Implicit operand conversion
• Improper code sanitization
• Incompatible dependency injection
• Incomplete HTML attribute sanitization
• Incomplete URL scheme check
• Incomplete URL substring sanitization
• Incomplete multi-character sanitization
• Incomplete regular expression for hostnames
• Incomplete string escaping or encoding
• Inconsistent direction of for loop
• Inconsistent use of ‘new’
• Incorrect suffix check
• Indirect uncontrolled command line
• Ineffective parameter type
• Inefficient regular expression
• Information exposure through a stack trace
• Insecure URL whitelist
• Insecure randomness
• Invalid prototype value
• Invocation of non-function
• Lines of code in files
• Lines of commented-out code in files
• Lines of comments in files
• Log injection
• Loop bound injection
• Loop iteration skipped due to shifting
• Malformed id attribute
• Misleading indentation after control statement
• Misleading indentation of dangling ‘else’
• Missing ‘.length’ in comparison
• Missing ‘this’ qualifier
• Missing CSRF middleware
• Missing await
• Missing explicit dependency injection
• Missing exports qualifier
• Missing rate limiting
• Missing regular expression anchor
• Missing space in string concatenation
• Missing variable declaration
• Misspelled variable name
• Network data written to file
• Non-case label in switch statement
• Non-linear pattern
• Number of tests
• Off-by-one comparison against length
• Overwritten property
• Password in configuration file
• Polynomial regular expression used on uncontrolled data
• Potentially inconsistent state update
• Potentially unsafe external link
• Property access on null or undefined
• Prototype-polluting assignment
• Prototype-polluting function
• Prototype-polluting merge call
• Reflected cross-site scripting
• Regular expression always matches
• Regular expression injection
• Remote property injection
• Repeated dependency injection
• Replacement of a substring with itself
• Resources exhaustion from deep object traversal
• Return statement assigns local variable
• Self assignment
• Semicolon insertion
• Sensitive data read from GET request
• Sensitive server cookie exposed to the client
• Server crash
• Server-side URL redirect
• Shell command built from environment values
• Shift out of range
• Storage of sensitive information in build artifact
• Stored cross-site scripting
• String instead of regular expression
• Superfluous trailing arguments
• Suspicious method name declaration
• Syntax error
• Template Object Injection
• Template syntax in string literal
• Type confusion through parameter tampering
• Unbound back reference
• Unbound event handler receiver
• Unclear precedence of nested operators
• Uncontrolled command line
• Uncontrolled data used in network request
• Uncontrolled data used in path expression
• Unknown directive
• Unmatchable caret in regular expression
• Unmatchable dollar in regular expression
• Unnecessary use of cat process
• Unneeded defensive code
• Unreachable method overloads
• Unreachable statement
• Unsafe HTML constructed from library input
• Unsafe dynamic method access
• Unsafe expansion of self-closing HTML tag
• Unsafe jQuery plugin
• Unsafe shell command constructed from library input
• Unsupported state update in lifecycle method
• Unused index variable
• Unused loop iteration variable
• Unused or undefined state property
• Unused variable, import, function or class
• Unvalidated dynamic method call
• Use of AngularJS markup in URL-valued attribute
• Use of a broken or weak cryptographic algorithm
• Use of a weak cryptographic key
• Use of call stack introspection in strict mode
• Use of externally-controlled format string
• Use of for-in comprehension blocks
• Use of incompletely initialized object
• Use of password hash with insufficient computational effort
• Use of platform-specific language features
• Use of returnless function
• Useless assignment to local variable
• Useless assignment to property
• Useless comparison test
• Useless conditional
• Useless regular-expression character escape
• Useless return in setter
• Useless type test
• User-controlled bypass of security check
• Variable not declared before use
• Whitespace contradicts operator precedence
• With statement
• Wrong use of ‘this’ for static method
• XML external entity expansion
• XML internal entity expansion
• XPath injection
• Yield in non-generator function

• © GitHub, Inc.
• Terms
• Privacy