JS: more taint steps through array manipulation

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -290,6 +290,23 @@ module TaintTracking {
         succ.(DataFlow::SourceNode).getAMethodCall(name) = call
       )
       or
+      // `array.push(...e)`, `array.unshift(...e)`: if `e` is tainted, then so is `array`.
+      exists(string name |
+        name = "push" or
+        name = "unshift"
+      |
+        pred = call.asExpr().(InvokeExpr).getAnArgument().(SpreadElement).getOperand().flow() and
+        succ.(DataFlow::SourceNode).getAMethodCall(name) = call
+      )
+      or
+      // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
+      exists(string name |
+        name = "splice"
+      |
+        pred = call.getArgument(2) and
+        succ.(DataFlow::SourceNode).getAMethodCall(name) = call
+      )
+      or
       // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
       exists(string name |
         name = "pop" or

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -9,6 +9,9 @@ typeInferenceMismatch
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
 | array-callback.js:2:23:2:30 | source() | array-callback.js:4:10:4:10 | x |
+| array-mutation.js:19:18:19:25 | source() | array-mutation.js:20:8:20:8 | e |
+| array-mutation.js:23:13:23:20 | source() | array-mutation.js:24:8:24:8 | f |
+| array-mutation.js:27:16:27:23 | source() | array-mutation.js:28:8:28:8 | g |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |

javascript/ql/test/library-tests/TaintTracking/array-mutation.js

@@ -0,0 +1,29 @@
+function test(x, y) {
+  let a = [];
+  a.splice(source(), x);
+  sink(a); // OK
+
+  let b = [];
+  b.splice(x, source());
+  sink(b); // OK
+
+  let c = [];
+  c.splice(source(), x, y);
+  sink(c); // OK
+
+  let d = [];
+  d.splice(x, source(), y);
+  sink(d); // OK
+
+  let e = [];
+  e.splice(x, y, source());
+  sink(e); // NOT OK
+
+  let f = [];
+  f.push(...source());
+  sink(f); // NOT OK
+
+  let g = [];
+  g.unshift(...source());
+  sink(g); // NOT OK
+}