JS: Fix: Ensure toSpliced is flagged by taint tracking in test suite (ed44358)

Author: Napalys

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -81,6 +81,11 @@ module ArrayTaintTracking {
     pred = call.getArgument(any(int i | i >= 2)) and
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
+    // `array.toSpliced(x, y, source())`: if `source()` is tainted, then so is the result of `toSpliced`, but not the original array.
+    call.(DataFlow::MethodCallNode).getMethodName() = "toSpliced" and
+    pred = call.getArgument(any(int i | i >= 2)) and
+    succ = call
+    or
     // `array.splice(i, del, ...e)`: if `e` is tainted, then so is `array`.
     pred = call.getASpreadArgument() and
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -23,6 +23,8 @@ typeInferenceMismatch
 | array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
 | array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
 | array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
+| array-mutation.js:43:36:43:43 | source() | array-mutation.js:45:8:45:15 | kSpliced |
+| array-mutation.js:48:25:48:32 | source() | array-mutation.js:49:8:49:8 | l |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] |

javascript/ql/test/library-tests/TaintTracking/array-mutation.js

@@ -42,11 +42,11 @@ function test(x, y) {
   let k = [];
   let kSpliced = k.toSpliced(x, y, source());
   sink(k); // OK
-  sink(kSpliced); // NOT OK -- This should be caught, but it is not
+  sink(kSpliced); // NOT OK
 
   let l = [];
   l = l.toSpliced(x, y, source());
-  sink(l); // NOT OK -- This should be caught, but it is not
+  sink(l); // NOT OK
 
   let m = [];
   m = m.toSpliced(q, source(), y);