restrict the number of stored array elements

Author: erik-krogh

javascript/ql/src/semmle/javascript/Arrays.qll

@@ -253,14 +253,10 @@ private module ArrayDataFlow {
    */
   private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::ArrayCreationNode {
     override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
-      prop = arrayElement() and
-      element = this.getAnElement() and
-      obj = this
-      or
       exists(int i |
         element = this.getElement(i) and
         obj = this and
-        prop = i.toString()
+        prop = arrayElement(i)
       )
     }
   }

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -607,6 +607,16 @@ module PseudoProperties {
    */
   string arrayElement() { result = pseudoProperty("arrayElement") }
 
+  /**
+   * Gets a pseudo-property for the location of the `i`th element in an `Array`.
+   */
+  bindingset[i]
+  string arrayElement(int i) {
+    i < 5 and result = i.toString()
+    or
+    result = arrayElement()
+  }
+
   /**
    * Gets a pseudo-property for the location of elements in some array-like object. (Set, Array, or Iterator).
    */