Merge branch 'main' into napalys/ES2024-group-functions

javascript/ql/lib/change-notes/2024-11-18-ES2023-array-protype-with.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+Added taint-steps for `Array.prototype.with`.

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -477,7 +477,7 @@ private module ArrayLibraries {
   private class ImmutableArrayTransformStep extends TaintTracking::SharedTaintStep {
     override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
       exists(DataFlow::MethodCallNode call |
-        call.getMethodName() in ["toSorted", "toReversed"] and
+        call.getMethodName() in ["toSorted", "toReversed", "with"] and
         pred = call.getReceiver() and
         succ = call
       )

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -248,6 +248,8 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:74:10:74:34 | Object. ... z => z) |
 | tst.js:2:13:2:20 | source() | tst.js:78:55:78:58 | item |
 | tst.js:2:13:2:20 | source() | tst.js:79:14:79:20 | grouped |
+| tst.js:2:13:2:20 | source() | tst.js:100:10:100:17 | x.with() |
+| tst.js:2:13:2:20 | source() | tst.js:102:10:102:14 | xWith |
 | tst.js:75:22:75:29 | source() | tst.js:75:10:75:52 | Map.gro ... (item)) |
 | tst.js:75:22:75:29 | source() | tst.js:75:47:75:50 | item |
 | tst.js:82:23:82:30 | source() | tst.js:83:58:83:61 | item |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -96,4 +96,8 @@ function test() {
         sink(taintedValue); // NOT OK
         sink(map.get(true)); // NOT OK
     }
+
+    sink(x.with()) // NOT OK
+    const xWith = x.with();
+    sink(xWith) // NOT OK
 }