add a taint-tracking tests for calls to tagged template strings

Author: erik-krogh

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -231,6 +231,7 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
+| tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -109,3 +109,4 @@
 | thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
 | thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
+| tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -49,4 +49,12 @@ function test() {
 
     const serializeJavaScript = require("serialize-javascript");
     sink(serializeJavaScript(x)) // NOT OK
+
+    function tagged(strings, safe, unsafe) {
+        sink(unsafe) // NOT OK
+        sink(safe) // OK
+        sink(strings) // OK
+    }
+
+    tagged`foo ${"safe"} bar ${x} baz`;
 }