JS: Add arrayStep but ignore overlap with heapStep for now

javascript/ql/src/semmle/javascript/Arrays.qll

@@ -10,7 +10,7 @@ module ArrayTaintTracking {
    * A taint propagating data flow edge caused by the builtin array functions.
    */
   private class ArrayFunctionTaintStep extends TaintTracking::SharedTaintStep {
-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    override predicate arrayStep(DataFlow::Node pred, DataFlow::Node succ) {
       arrayFunctionTaintStep(pred, succ, _)
     }
   }

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -259,6 +259,14 @@ module TaintTracking {
      */
     predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
 
+    /**
+     * Holds if `pred` → `succ` should be considered a taint-propagating
+     * data flow edge through arrays.
+     *
+     * These steps considers an array to be tainted if it contains tainted elements.
+     */
+    predicate arrayStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
     /**
      * Holds if `pred` → `succ` should be considered a taint-propagating
      * data flow edge through the `state` or `props` or a React component.
@@ -342,6 +350,14 @@ module TaintTracking {
     any(SharedTaintStep step).heapStep(pred, succ)
   }
 
+  /**
+   * Holds if `pred -> succ` is a taint propagating data flow edge through an array.
+   */
+  cached
+  predicate arrayStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(SharedTaintStep step).arrayStep(pred, succ)
+  }
+
   /**
    * Holds if `pred -> succ` is a taint propagating data flow edge through the
    * properties of a view compenent, such as the `state` or `props` of a React component.
@@ -426,6 +442,7 @@ module TaintTracking {
     uriStep(pred, succ) or
     persistentStorageStep(pred, succ) or
     heapStep(pred, succ) or
+    arrayStep(pred, succ) or
     viewComponentStep(pred, succ) or
     stringConcatenationStep(pred, succ) or
     stringManipulationStep(pred, succ) or
@@ -541,7 +558,7 @@ module TaintTracking {
     }
   }
 
-  predicate arrayFunctionTaintStep = ArrayTaintTracking::arrayFunctionTaintStep/3;
+  deprecated predicate arrayFunctionTaintStep = ArrayTaintTracking::arrayFunctionTaintStep/3;
 
   /**
    * A taint propagating data flow edge for assignments of the form `o[k] = v`, where

javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll

@@ -52,7 +52,7 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
     result = pred.backtrack(t2, t)
     or
     t = t2.continue() and
-    TaintTracking::arrayFunctionTaintStep(any(DataFlow::Node n | result.flowsTo(n)), pred, _)
+    TaintTracking::arrayStep(any(DataFlow::Node n | result.flowsTo(n)), pred)
   )
 }