Added underscore.string clearsContent.

Co-authored-by: Asgerf <[email protected]>

Author: Napalys

javascript/ql/lib/javascript.qll

@@ -143,3 +143,4 @@ import semmle.javascript.linters.ESLint
 import semmle.javascript.linters.JSLint
 import semmle.javascript.linters.Linting
 import semmle.javascript.security.dataflow.RemoteFlowSources
+import semmle.javascript.frameworks.UnderscoreDotString

javascript/ql/lib/semmle/javascript/frameworks/UnderscoreDotString.qll

@@ -0,0 +1,25 @@
+/**
+ * Provides classes for modeling data flow behavior of the Underscore.string library (https://www.npmjs.com/package/underscore.string).
+ */
+
+private import javascript
+private import semmle.javascript.dataflow.internal.AdditionalFlowInternal
+
+/**
+ * Models data flow for the Underscore.string library.
+ */
+private class UnderscoreDotString extends AdditionalFlowInternal {
+  /**
+   * Holds if a call to an Underscore.string method clears array element content of the receiver.
+   */
+  override predicate clearsContent(DataFlow::Node node, DataFlow::ContentSet contents) {
+    exists(DataFlow::CallNode call |
+      call =
+        ModelOutput::getATypeNode(["'underscore.string'.Wrapper", "'underscore.string'"])
+            .getAMember()
+            .getACall() and
+      node = call.getReceiver().getPostUpdateNode() and
+      contents = DataFlow::ContentSet::arrayElement()
+    )
+  }
+}

javascript/ql/test/library-tests/TripleDot/underscore.string.js

@@ -11,7 +11,7 @@ function strToStr() {
   sink(s.unescapeHTML(source("s8"))); // $ hasTaintFlow=s8
   sink(s.wrap(source("s9"), {})); // $ hasTaintFlow=s9
   sink(s.dedent(source("s10"), "  ")); // $ hasTaintFlow=s10
-  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11 SPURIOUS: hasTaintFlow=s8
+  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11
   sink(s.pred(source("s12"))); // $ hasTaintFlow=s12
   sink(s.succ(source("s13"))); // $ hasTaintFlow=s13
   sink(s.titleize(source("s14"))); // $ hasTaintFlow=s14
@@ -60,7 +60,7 @@ function multiSource() {
   sink(s.join(",", source("s5"), "str")); // $ hasTaintFlow=s5
   sink(s.join(",", "str", source("s6"))); // $ hasTaintFlow=s6
 
-  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7 SPURIOUS: hasTaintFlow=s8
+  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7
   sink(s.splice("str", 1, 2, source("s8"))); // $ hasTaintFlow=s8
 
   sink(s.prune(source("s9"), 1, "additional")); // $ hasTaintFlow=s9