From 623dbda77ddd4a092bb3c8beedcfb0001fc4c7a2 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Mon, 12 Aug 2024 13:18:58 +0200
Subject: [PATCH] Do not pass regular positional args into the rest parameter

---
 .../semmle/javascript/dataflow/internal/DataFlowPrivate.qll | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
index d25c53cb786..1b08b63f897 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -287,7 +287,11 @@ abstract class LibraryCallable extends string {
 }
 
 private predicate isParameterNodeImpl(Node p, DataFlowCallable c, ParameterPosition pos) {
-  p = c.asSourceCallable().(Function).getParameter(pos.asPositional()).flow()
+  exists(Parameter parameter |
+    parameter = c.asSourceCallable().(Function).getParameter(pos.asPositional()) and
+    not parameter.isRestParameter() and
+    p = TValueNode(parameter)
+  )
   or
   pos.isThis() and p = TThisNode(c.asSourceCallable().(Function))
   or