JS: Restrict ExtendCall flow in proto pollution query

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll

@@ -57,6 +57,18 @@ class Configuration extends TaintTracking::Configuration {
     node = NodeJSLib::Path::moduleMember(["join", "normalize", "relative", "resolve"]).getACall()
   }
 
+  override predicate isSanitizerEdge(
+    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl
+  ) {
+    // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
+    // step because it preserves all properties, but the destination is not actually Object.prototype.
+    exists(ExtendCall call |
+      pred = call.getASourceOperand() and
+      succ = call.getDestinationOperand().getALocalSource() and
+      lbl instanceof ObjectPrototype
+    )
+  }
+
   override predicate isAdditionalFlowStep(
     DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
   ) {