Skip to main content

JavaScript and TypeScript queries for CodeQL analysis

Explore the queries that CodeQL uses to analyze code written in JavaScript or TypeScript when you select the default or the security-extended query suite.

Who can use this feature?

Code scanning is available for organization-owned repositories in GitHub Enterprise Server. This feature requires a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

CodeQL includes many queries for analyzing JavaScript and TypeScript code. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see "CodeQL query suites."

Built-in queries for JavaScript and TypeScript analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Note: The initial release of GitHub Enterprise Server 3.12 included CodeQL action and CodeQL CLI 2.15.5, which may not include all of these queries. Your site administrator can update your CodeQL version to a newer release. For more information, see "Configuring code scanning for your appliance."

Query nameRelated CWEsDefaultExtendedAutofix
Arbitrary file access during archive extraction ("Zip Slip")022
Bad HTML filtering regexp020, 080, 116, 184, 185, 186
Case-sensitive middleware path178
Clear text storage of sensitive information312, 315, 359
Clear text transmission of sensitive cookie614, 311, 312, 319
Clear-text logging of sensitive information312, 359, 532
Client-side cross-site scripting079, 116
Client-side URL redirect079, 116, 601
Code injection094, 095, 079, 116
CORS misconfiguration for credentials transfer346, 639, 942
Creating biased random numbers from a cryptographically secure source327
Cross-window communication with unrestricted target origin201, 359
Database query built from user-controlled sources089, 090, 943
Dependency download using unencrypted communication channel300, 319, 494, 829
Deserialization of user-controlled data502
Disabling certificate validation295, 297
Disabling Electron webSecurity79
Disabling SCE116
DOM text reinterpreted as HTML079, 116
Double compilation1176
Double escaping or unescaping116, 020
Download of sensitive file through insecure connection829
Enabling Electron allowRunningInsecureContent494
Exception text reinterpreted as HTML079, 116
Exposure of private files200, 219, 548
Expression injection in Actions094
Hard-coded credentials259, 321, 798
Host header poisoning in email generation640
Improper code sanitization094, 079, 116
Inclusion of functionality from an untrusted source830
Incomplete HTML attribute sanitization079, 116, 020
Incomplete multi-character sanitization020, 080, 116
Incomplete regular expression for hostnames020
Incomplete string escaping or encoding020, 080, 116
Incomplete URL scheme check020, 184
Incomplete URL substring sanitization020
Incorrect suffix check020
Inefficient regular expression1333, 730, 400
Information exposure through a stack trace209, 497
Insecure randomness338
Insecure URL whitelist183, 625
JWT missing secret or public key verification347
Loop bound injection834, 730
Missing CSRF middleware352
Missing rate limiting770, 307, 400
Overly permissive regular expression range020
Polynomial regular expression used on uncontrolled data1333, 730, 400
Prototype-polluting assignment078, 079, 094, 400, 471, 915
Prototype-polluting function078, 079, 094, 400, 471, 915
Prototype-polluting merge call078, 079, 094, 400, 471, 915
Reflected cross-site scripting079, 116
Regular expression injection730, 400
Replacement of a substring with itself116
Resource exhaustion400, 770
Resources exhaustion from deep object traversal400
Second order command injection078, 088
Sensitive data read from GET request598
Sensitive server cookie exposed to the client1004
Server crash248, 730
Server-side request forgery918
Server-side URL redirect601
Shell command built from environment values078, 088
Storage of sensitive information in build artifact312, 315, 359
Stored cross-site scripting079, 116
Template Object Injection073, 094
Type confusion through parameter tampering843
Uncontrolled command line078, 088
Uncontrolled data used in path expression022, 023, 036, 073, 099
Unnecessary use of cat process078
Unsafe dynamic method access094
Unsafe expansion of self-closing HTML tag079, 116
Unsafe HTML constructed from library input079, 116
Unsafe jQuery plugin079, 116
Unsafe shell command constructed from library input078, 088
Unvalidated dynamic method call754
Use of a broken or weak cryptographic algorithm327, 328
Use of a weak cryptographic key326
Use of externally-controlled format string134
Use of password hash with insufficient computational effort916
Useless regular-expression character escape020
XML external entity expansion611, 827
XML internal entity expansion776, 400
XPath injection643
Client-side request forgery918
Empty password in configuration file258, 862
Failure to abandon session384
File data in outbound network request200
Hard-coded data interpreted as code506
Indirect uncontrolled command line078, 088
Insecure temporary file377, 378
Log injection117
Missing origin verification in postMessage handler020, 940
Missing regular expression anchor020
Network data written to file912, 434
Password in configuration file256, 260, 313, 522
Potential file system race condition367
Remote property injection250, 400
Sensitive cookie without SameSite restrictions1275
Unsafe code constructed from library input094, 079, 116
User-controlled bypass of security check807, 290