add a few arrary methods to TaintedPath.qll

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

@@ -93,13 +93,38 @@ module TaintedPath {
         |
           name = argumentlessMethodName
         )
+      )
       or
+      // array method calls of interest
+      exists(DataFlow::MethodCallNode mcn, string name | dst = mcn and mcn.calls(src, name) |
+        // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
         name = "split" and
-        not exists(DataFlow::Node splitBy | splitBy = mcn.getArgument(0) |
+        (
+          if
+            exists(DataFlow::Node splitBy | splitBy = mcn.getArgument(0) |
               splitBy.mayHaveStringValue("/") or
               any(DataFlow::RegExpLiteralNode reg | reg.getRoot().getAMatchedString() = "/")
                   .flowsTo(splitBy)
             )
+          then
+            srclabel.(Label::PosixPath).canContainDotDotSlash() and
+            dstlabel instanceof Label::SplitPath
+          else srclabel = dstlabel
+        )
+        or
+        (
+          name = "pop" or
+          name = "shift" or
+          name = "slice" or
+          name = "splice"
+        ) and
+        dstlabel instanceof Label::SplitPath and
+        srclabel instanceof Label::SplitPath
+        or
+        name = "join" and
+        mcn.getArgument(0).mayHaveStringValue("/") and 
+        srclabel instanceof Label::SplitPath and
+        dstlabel.(Label::PosixPath).canContainDotDotSlash()
       )
     }
 

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -108,6 +108,12 @@ module TaintedPath {
         not (isNormalized() and isAbsolute())
       }
     }
+
+    class SplitPath extends DataFlow::FlowLabel {
+      SplitPath() {
+        this = "splitPath"
+      }
+    }
   }
 
   /**