JS: Fix: Ensure toSpliced with spread operator is flagged

2026-05-05 05:35:13 +02:00 · 2024-11-13 17:21:34 +01:00
parent 8512cb44ff
commit 84234d59b9
3 changed files with 9 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -90,6 +90,11 @@ module ArrayTaintTracking {
    pred = call.getASpreadArgument() and
    succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
    or
+    // `array.toSpliced(i, del, ...e)`: if `e` is tainted, then so is the result of `toSpliced`, but not the original array.
+    pred = call.getASpreadArgument() and
+    call.(DataFlow::MethodCallNode).getMethodName() = "toSpliced" and
+    succ = call
+    or
    // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
    call.(DataFlow::MethodCallNode)
        .calls(pred, ["pop", "shift", "slice", "splice", "at", "toSpliced"]) and