JS: only propagate through first argument of truncate()

javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll

@@ -35,17 +35,19 @@ module ClosureLibrary {
           name = "trim" or
           name = "trimLeft" or
           name = "trimRight" or
-          name = "truncate" or
-          name = "truncateMiddle" or
           name = "unescapeEntities" or
           name = "whitespaceEscape"
         )
         or
-        name = "unescapeEntitiesWithDocument" and
-        pred = getArgument(0)
+        pred = getArgument(0) and
+        (
+          name = "truncate" or
+          name = "truncateMiddle" or
+          name = "unescapeEntitiesWithDocument"
+        )
       )
     }
-    
+
     override predicate step(Node src, Node dst) {
       src = pred and
       dst = this

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -11,6 +11,7 @@
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
 | closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |
+| closure.js:6:15:6:22 | source() | closure.js:10:8:10:33 | string. ... nt, 50) |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
 | constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |

javascript/ql/test/library-tests/TaintTracking/closure.js

@@ -7,6 +7,8 @@ function test() {
   
   sink(string.capitalize(taint)); // NOT OK
   sink(string.trim(taint)); // NOT OK
+  sink(string.truncate(taint, 50)); // NOT OK
+  sink(string.truncate('hey', taint)); // OK
 
   sink(string.escapeString(taint)); // OK
 }