JS: Fix: Ensure toSpliced with spread operator is flagged

Author: Napalys

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -90,6 +90,11 @@ module ArrayTaintTracking {
     pred = call.getASpreadArgument() and
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
+    // `array.toSpliced(i, del, ...e)`: if `e` is tainted, then so is the result of `toSpliced`, but not the original array.
+    pred = call.getASpreadArgument() and
+    call.(DataFlow::MethodCallNode).getMethodName() = "toSpliced" and
+    succ = call
+    or
     // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
     call.(DataFlow::MethodCallNode)
         .calls(pred, ["pop", "shift", "slice", "splice", "at", "toSpliced"]) and

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -26,6 +26,8 @@ typeInferenceMismatch
 | array-mutation.js:43:36:43:43 | source() | array-mutation.js:45:8:45:15 | kSpliced |
 | array-mutation.js:48:25:48:32 | source() | array-mutation.js:49:8:49:8 | l |
 | array-mutation.js:68:21:68:28 | source() | array-mutation.js:69:8:69:8 | q |
+| array-mutation.js:72:39:72:46 | source() | array-mutation.js:73:8:73:15 | rSpliced |
+| array-mutation.js:75:28:75:35 | source() | array-mutation.js:76:8:76:8 | r |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] |

javascript/ql/test/library-tests/TaintTracking/array-mutation.js

@@ -70,8 +70,8 @@ function test(x, y) {
 
   let r = [];
   let rSpliced = r.toSpliced(x, y, ...source());
-  sink(rSpliced); // NOT OK -- This should flagged but it is not
+  sink(rSpliced); // NOT OK
   sink(r); // OK
   r = r.toSpliced(x, y, ...source());
-  sink(r); // NOT OK -- This should flagged but it is not
+  sink(r); // NOT OK
 }