JS: Handle Array.prototype.toString calls

Author: asgerf

javascript/ql/lib/semmle/javascript/internal/flow_summaries/AmbiguousCoreMethods.qll

@@ -157,7 +157,11 @@ class Values extends SummarizedCallable {
 class ToString extends SummarizedCallable {
   ToString() { this = "Object#toString / Array#toString" }
 
-  override DataFlow::MethodCallNode getACallSimple() { result.getMethodName() = "toString" }
+  override InstanceCall getACallSimple() {
+    result.(DataFlow::MethodCallNode).getMethodName() = "toString"
+    or
+    result = arrayConstructorRef().getAPropertyRead("prototype").getAMemberCall("toString")
+  }
 
   override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = false and

javascript/ql/test/library-tests/TripleDot/arrays.js

@@ -41,5 +41,5 @@ function implicitToString() {
     sink(array.toString()); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
     sink(array.toString("utf8")); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
 
-    sink(Array.prototype.toString.call(array)); // $ MISSING: hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
+    sink(Array.prototype.toString.call(array)); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
 }