JS: Actually don't propagate into array element 0

Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.

Author: asgerf

javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll

@@ -53,14 +53,18 @@ module TaintedUrlSuffix {
    * This handles steps through string operations, promises, URL parsers, and URL accessors.
    */
   predicate step(Node src, Node dst, FlowLabel srclbl, FlowLabel dstlbl) {
+    // Transition from tainted-url-suffix to general taint when entering the second array element
+    // of a split('#') or split('?') array.
+    //
+    //   x [tainted-url-suffix] --> x.split('#') [array element 1] [taint]
+    //
+    // Technically we should also preverse tainted-url-suffix when entering the first array element of such
+    // a split, but this mostly leads to FPs since we currently don't track if the taint has been through URI-decoding.
+    // (The query/fragment parts are often URI-decoded in practice, but not the other URL parts are not)
     srclbl = label() and
     dstlbl.isTaint() and
     DataFlowPrivate::optionalStep(src, "split-url-suffix-post", dst)
     or
-    srclbl = label() and
-    dstlbl = label() and
-    DataFlowPrivate::optionalStep(src, "split-url-suffix-pre", dst)
-    or
     // Transition from URL suffix to full taint when extracting the query/fragment part.
     srclbl = label() and
     dstlbl.isTaint() and

javascript/ql/test/library-tests/TaintedUrlSuffix/tst.js

@@ -5,14 +5,14 @@ function t1() {
 
     sink(href); // $ flow=tainted-url-suffix
 
-    sink(href.split('#')[0]); // $ flow=tainted-url-suffix
+    sink(href.split('#')[0]); // could be 'tainted-url-suffix', but omitted due to FPs from URI-encoding
     sink(href.split('#')[1]); // $ flow=taint
-    sink(href.split('#').pop()); // $ flow=taint flow=tainted-url-suffix
+    sink(href.split('#').pop()); // $ flow=taint
     sink(href.split('#')[2]); // $ MISSING: flow=taint // currently the split() summary only propagates to index 1
 
-    sink(href.split('?')[0]); // $ flow=tainted-url-suffix
+    sink(href.split('?')[0]);
     sink(href.split('?')[1]); // $ flow=taint
-    sink(href.split('?').pop()); // $ flow=taint flow=tainted-url-suffix
+    sink(href.split('?').pop()); // $ flow=taint
     sink(href.split('?')[2]); // $ MISSING: flow=taint
 
     sink(href.split(blah())[0]); // $ flow=tainted-url-suffix