cklin
diff --git a/‎javascript/ql/lib/semmle/javascript/Arrays.qll
Lines changed: 3 additions & 3 deletions b/‎javascript/ql/lib/semmle/javascript/Arrays.qll
Lines changed: 3 additions & 3 deletions
diff --git a/‎javascript/ql/test/library-tests/Arrays/DataFlow.expected
Lines changed: 1 addition & 0 deletions b/‎javascript/ql/test/library-tests/Arrays/DataFlow.expected
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/test/library-tests/Arrays/arrays.js
Lines changed: 2 additions & 0 deletions b/‎javascript/ql/test/library-tests/Arrays/arrays.js
Lines changed: 2 additions & 0 deletions
@@ -75,7 +75,7 @@ module ArrayTaintTracking {
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
     // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
-    call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice"]) and
+    call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice", "at"]) and
     succ = call
     or
     // `e = Array.from(x)`: if `x` is tainted, then so is `e`.
@@ -199,13 +199,13 @@ private module ArrayDataFlow {
   }
 
   /**
-   * A step for retrieving an element from an array using `.pop()` or `.shift()`.
+   * A step for retrieving an element from an array using `.pop()`, `.shift()`, or `.at()`.
    * E.g. `array.pop()`.
    */
   private class ArrayPopStep extends DataFlow::SharedFlowStep {
     override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
       exists(DataFlow::MethodCallNode call |
-        call.getMethodName() = ["pop", "shift"] and
+        call.getMethodName() = ["pop", "shift", "at"] and
         prop = arrayElement() and
         obj = call.getReceiver() and
         element = call
 
@@ -11,6 +11,7 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:74:8:74:29 | arr.fin ... llback) |
 | arrays.js:2:16:2:23 | "source" | arrays.js:77:8:77:35 | arrayFi ... llback) |
 | arrays.js:2:16:2:23 | "source" | arrays.js:81:10:81:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:84:8:84:17 | arr.at(-1) |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
 
@@ -80,4 +80,6 @@
   for (const x of uniq(arr)) {
     sink(x); // NOT OK
   }
+
+  sink(arr.at(-1)); // NOT OK
 });
Original file line number	Diff line number	Diff line change
`@@ -80,4 +80,6 @@`
`80`	`80`	`for (const x of uniq(arr)) {`
`81`	`81`	`sink(x); // NOT OK`
`82`	`82`	`}`
	`83`	`+`
	`84`	`+ sink(arr.at(-1)); // NOT OK`
`83`	`85`	`});`