JS: Fix template literal detection in string concatination

Author: Napalys

javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql

@@ -76,9 +76,10 @@ class CandidateStringLiteral extends StringLiteral {
  * ```
  */
 predicate hasObjectProvidingTemplateVariables(CandidateStringLiteral lit) {
-  exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj |
-    call.getAnArgument().getALocalSource() = obj and
-    call.getAnArgument().asExpr() = lit and
+  exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj, DataFlow::Node stringArg |
+    stringArg = [StringConcatenation::getRoot(lit.flow()), lit.flow()] and
+    stringArg = call.getAnArgument() and
+    obj.flowsTo(call.getAnArgument()) and
     forex(string name | name = lit.getAReferencedVariable() | exists(obj.getAPropertyWrite(name)))
   )
 }

javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.expected

@@ -3,7 +3,5 @@
 | TemplateSyntaxInStringLiteral.js:19:11:19:36 | 'global ... alVar}' | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:14:5:14:13 | globalVar | globalVar |
 | TemplateSyntaxInStringLiteral.js:28:15:28:21 | "${x} " | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:25:14:25:14 | x | x |
 | TemplateSyntaxInStringLiteral.js:42:17:42:57 | "Name:  ... oobar}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:37:11:37:16 | foobar | foobar |
-| TemplateSyntaxInStringLiteral.js:47:27:47:51 | ") ${ex ...  got (" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:45:20:45:27 | expected | expected |
-| TemplateSyntaxInStringLiteral.js:47:71:47:83 | ") ${actual}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:45:12:45:17 | actual | actual |
 | TemplateSyntaxInStringLiteral.js:62:15:62:29 | "Name: ${name}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:61:30:61:33 | name | name |
 | TemplateSyntaxInStringLiteral.js:66:11:66:44 | "Name:  ... {name}" | This string is not a template literal, but appears to reference the variable $@. | TemplateSyntaxInStringLiteral.js:61:30:61:33 | name | name |

javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js

@@ -44,7 +44,7 @@ function foo1() {
 
 function a(actual, expected, description) {
     assert(false, "a", description, "expected (" +
-        typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", { // $SPURIOUS:Alert
+        typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", {
             expected: expected,
             actual: actual
         });