From 0c124d2f8c34f028c7c6e64d4cae5f1b70df125f Mon Sep 17 00:00:00 2001
From: Asger F <asger@semmle.com>
Date: Thu, 9 Aug 2018 16:51:18 +0100
Subject: [PATCH] JavaScript: add taint step through 'join'

---
 .../ql/src/semmle/javascript/dataflow/TaintTracking.qll       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
index ea8fc1b4654..cfcbb23d449 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -365,7 +365,9 @@ module TaintTracking {
             name = "trimRight" or
             // sorted, interesting, properties of Object.prototype
             name = "toString" or
-            name = "valueOf"
+            name = "valueOf" or
+            // sorted, interesting, properties of Array.prototype
+            name = "join"
           ) or
           exists (int i | pred.asExpr() = astNode.(MethodCallExpr).getArgument(i) |
             name = "concat" or