add urlSuffix support to DomBasedXSS

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll

@@ -23,5 +23,33 @@ module DomBasedXss {
       or
       node instanceof Sanitizer
     }
+
+    override predicate isAdditionalLoadStoreStep(
+      DataFlow::Node pred, DataFlow::Node succ, string predProp, string succProp
+    ) {
+      exists(DataFlow::PropRead read |
+        pred = read.getBase() and
+        succ = read and
+        read.getPropertyName() = "hash" and
+        predProp = "hash" and
+        succProp = urlSuffixPseudoProperty()
+      )
+    }
+
+    override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      exists(DataFlow::MethodCallNode call, string name |
+        name = "substr" or name = "substring" or name = "slice"
+      |
+        call.getMethodName() = name and
+        not call.getArgument(0).getIntValue() = 0 and
+        pred = call.getReceiver() and
+        succ = call and
+        prop = urlSuffixPseudoProperty()
+      )
+    }
+  }
+
+  private string urlSuffixPseudoProperty() {
+    result = "$UrlSuffix$"
   }
 }