Refactored SortTaintStep to ArrayInPlaceManipulationTaintStep to support both sort and reverse functions. Fixed newly added test case. from 8026a99db7

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -446,12 +446,12 @@ private module ArrayLibraries {
   }
 
   /**
-   * A taint propagating data flow edge arising from sorting.
+   * A taint propagating data flow edge arising from in-place array manipulation operations.
    */
-  private class SortTaintStep extends TaintTracking::SharedTaintStep {
+  private class ArrayInPlaceManipulationTaintStep extends TaintTracking::SharedTaintStep {
     override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
       exists(DataFlow::MethodCallNode call |
-        call.getMethodName() = "sort" and
+        call.getMethodName() in ["sort", "reverse"] and
         pred = call.getReceiver() and
         succ = call
       )

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -233,6 +233,7 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
 | tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |
+| tst.js:2:13:2:20 | source() | tst.js:61:10:61:20 | x.reverse() |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -58,5 +58,5 @@ function test() {
 
     tagged`foo ${"safe"} bar ${x} baz`;
 
-    sink(x.reverse()); // NOT OK -- Should be caught but isn't
+    sink(x.reverse()); // NOT OK
 }