Added toSpliced as part ArraySliceStep and ArraySpliceStep, fixed tests from 2d9bc43

Author: Napalys

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -86,7 +86,8 @@ module ArrayTaintTracking {
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
     // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
-    call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice", "at", "toSpliced"]) and
+    call.(DataFlow::MethodCallNode)
+        .calls(pred, ["pop", "shift", "slice", "splice", "at", "toSpliced"]) and
     succ = call
     or
     // `e = Array.from(x)`: if `x` is tainted, then so is `e`.
@@ -283,7 +284,7 @@ private module ArrayDataFlow {
   private class ArraySpliceStep extends PreCallGraphStep {
     override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       exists(DataFlow::MethodCallNode call |
-        call.getMethodName() = "splice" and
+        call.getMethodName() = ["splice", "toSpliced"] and
         prop = arrayElement() and
         element = call.getArgument(any(int i | i >= 2)) and
         call = obj.getAMethodCall()
@@ -297,7 +298,7 @@ private module ArrayDataFlow {
       toProp = arrayElement() and
       // `array.splice(i, del, ...arr)` variant
       exists(DataFlow::MethodCallNode mcn |
-        mcn.getMethodName() = "splice" and
+        mcn.getMethodName() = ["splice", "toSpliced"] and
         pred = mcn.getASpreadArgument() and
         succ = mcn.getReceiver().getALocalSource()
       )
@@ -320,12 +321,12 @@ private module ArrayDataFlow {
   }
 
   /**
-   * A step for modeling that elements from an array `arr` also appear in the result from calling `slice`/`splice`/`filter`.
+   * A step for modeling that elements from an array `arr` also appear in the result from calling `slice`/`splice`/`filter`/`toSpliced`.
    */
   private class ArraySliceStep extends PreCallGraphStep {
     override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       exists(DataFlow::MethodCallNode call |
-        call.getMethodName() = ["slice", "splice", "filter"] and
+        call.getMethodName() = ["slice", "splice", "filter", "toSpliced"] and
         prop = arrayElement() and
         pred = call.getReceiver() and
         succ = call

javascript/ql/test/library-tests/Arrays/DataFlow.expected

@@ -13,6 +13,7 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:86:8:86:35 | arrayFi ... llback) |
 | arrays.js:2:16:2:23 | "source" | arrays.js:90:10:90:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:93:8:93:17 | arr.at(-1) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:109:8:109:24 | arr8_spread.pop() |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
@@ -22,3 +23,5 @@
 | arrays.js:29:21:29:28 | "source" | arrays.js:50:8:50:17 | arr6.pop() |
 | arrays.js:33:37:33:44 | "source" | arrays.js:35:8:35:25 | arr4_variant.pop() |
 | arrays.js:53:4:53:11 | "source" | arrays.js:54:10:54:18 | ary.pop() |
+| arrays.js:99:31:99:38 | "source" | arrays.js:100:8:100:17 | arr8.pop() |
+| arrays.js:103:55:103:62 | "source" | arrays.js:105:8:105:25 | arr8_variant.pop() |

javascript/ql/test/library-tests/Arrays/TaintFlow.expected

@@ -14,6 +14,7 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:86:8:86:35 | arrayFi ... llback) |
 | arrays.js:2:16:2:23 | "source" | arrays.js:90:10:90:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:93:8:93:17 | arr.at(-1) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:109:8:109:24 | arr8_spread.pop() |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
@@ -26,3 +27,5 @@
 | arrays.js:53:4:53:11 | "source" | arrays.js:55:10:55:12 | ary |
 | arrays.js:95:9:95:16 | "source" | arrays.js:95:8:95:34 | ["sourc ... ) => x) |
 | arrays.js:96:9:96:16 | "source" | arrays.js:96:8:96:36 | ["sourc ... => !!x) |
+| arrays.js:99:31:99:38 | "source" | arrays.js:100:8:100:17 | arr8.pop() |
+| arrays.js:103:55:103:62 | "source" | arrays.js:105:8:105:25 | arr8_variant.pop() |

javascript/ql/test/library-tests/Arrays/arrays.js

@@ -97,14 +97,14 @@
 
   var arr8 = [];
   arr8 = arr8.toSpliced(0, 0, "source");
-  sink(arr8.pop()); // NOT OK -- Should be considered tainted, but it is not
+  sink(arr8.pop()); // NOT OK
 
   var arr8_variant = [];
   arr8_variant = arr8_variant.toSpliced(0, 0, "safe", "source");
   arr8_variant.pop();
-  sink(arr8_variant.pop()); // NOT OK -- Should be considered tainted, but it is not
+  sink(arr8_variant.pop()); // NOT OK
 
   var arr8_spread = [];
   arr8_spread = arr8_spread.toSpliced(0, 0, ...arr);
-  sink(arr8_spread.pop()); // NOT OK -- Should be considered tainted, but it is not
+  sink(arr8_spread.pop()); // NOT OK
 });