Add flow summaries for TypedArray methods set and subarray

Author: Napalys

javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll

@@ -36,3 +36,32 @@ class BufferTypedArray extends DataFlow::AdditionalFlowStep {
     )
   }
 }
+
+class SetLike extends SummarizedCallable {
+  SetLike() { this = "TypedArray#set" }
+
+  override InstanceCall getACall() {
+    result = typedArrayConstructorRef().getAnInstantiation().getReturn().getMember("set").getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = true and
+    input = "Argument[0].ArrayElement" and
+    output = "Argument[this].ArrayElement"
+  }
+}
+
+class SubArrayLike extends SummarizedCallable {
+  SubArrayLike() { this = "TypedArray#subarray" }
+
+  override InstanceCall getACall() {
+    result =
+      typedArrayConstructorRef().getAnInstantiation().getReturn().getMember("subarray").getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = true and
+    input = "Argument[this].ArrayElement" and
+    output = "ReturnValue.ArrayElement"
+  }
+}

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -38,14 +38,13 @@ legacyDataFlowDifference
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y | only flow with NEW data flow library |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer | only flow with NEW data flow library |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
 consistencyIssue
 | nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
 | stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
 | stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
-| typed-arrays.js:15 | expected an alert, but found none | NOT OK | Consistency |
-| typed-arrays.js:18 | expected an alert, but found none | NOT OK | Consistency |
-| typed-arrays.js:22 | expected an alert, but found none | NOT OK | Consistency |
 flow
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -334,6 +333,8 @@ flow
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

javascript/ql/test/library-tests/TaintTracking/typed-arrays.js

@@ -16,8 +16,4 @@ function test() {
 
     const sub = y.subarray(1, 3)
     sink(sub); // NOT OK
-
-    const clone = new y.constructor(y.length);
-    clone.set(y);    
-    sink(clone); // NOT OK
 }