ensure an indexOf call is equivalent with itself. (getAUse() is used later to find matching indexOf calls)

Author: erik-krogh

javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql

@@ -44,6 +44,8 @@ class IndexOfCall extends DataFlow::MethodCallNode {
    * Gets an `indexOf` call with the same receiver, argument, and method name, including this call itself.
    */
   IndexOfCall getAnEquivalentIndexOfCall() {
+    result = this
+    or
     exists(DataFlow::Node recv, string m |
       this.receiverAndMethodName(recv, m) and result.receiverAndMethodName(recv, m)
     |

javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.expected

@@ -9,5 +9,4 @@
 | tst.js:67:32:67:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:76:25:76:57 | index = ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:80:10:80:57 | x.index ... th + 1) | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
-| tst.js:105:23:105:80 | ind === ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:110:65:110:164 | trusted ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |

javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js

@@ -102,7 +102,7 @@ function sameCheck(allowedOrigin) {
     const trustedAuthority = "example.com";
 
     const ind = trustedAuthority.indexOf("." + allowedOrigin);
-    return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK - but currently failing
+    return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK
 }
 
 function sameConcatenation(allowedOrigin) {