Merge pull request #192 from esben-semmle/js/additional-array-taint-steps

Approved by asger-semmle

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -3,3 +3,15 @@
 | tst.js:2:13:2:20 | source() | tst.js:14:10:14:17 | x.sort() |
 | tst.js:2:13:2:20 | source() | tst.js:17:10:17:10 | a |
 | tst.js:2:13:2:20 | source() | tst.js:19:10:19:10 | a |
+| tst.js:2:13:2:20 | source() | tst.js:23:10:23:10 | b |
+| tst.js:2:13:2:20 | source() | tst.js:25:10:25:16 | x.pop() |
+| tst.js:2:13:2:20 | source() | tst.js:26:10:26:18 | x.shift() |
+| tst.js:2:13:2:20 | source() | tst.js:27:10:27:18 | x.slice() |
+| tst.js:2:13:2:20 | source() | tst.js:28:10:28:19 | x.splice() |
+| tst.js:2:13:2:20 | source() | tst.js:30:10:30:22 | Array.from(x) |
+| tst.js:2:13:2:20 | source() | tst.js:33:14:33:16 | elt |
+| tst.js:2:13:2:20 | source() | tst.js:35:14:35:16 | ary |
+| tst.js:2:13:2:20 | source() | tst.js:39:14:39:16 | elt |
+| tst.js:2:13:2:20 | source() | tst.js:41:14:41:16 | ary |
+| tst.js:2:13:2:20 | source() | tst.js:44:10:44:30 | innocen ... ) => x) |
+| tst.js:2:13:2:20 | source() | tst.js:45:10:45:24 | x.map(x2 => x2) |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -18,4 +18,30 @@ function test() {
     a.push(x);
     sink(a); // NOT OK
 
+    var b = [];
+    b.unshift(x);
+    sink(b); // NOT OK
+
+    sink(x.pop()); // NOT OK
+    sink(x.shift()); // NOT OK
+    sink(x.slice()); // NOT OK
+    sink(x.splice()); // NOT OK
+
+    sink(Array.from(x)); // NOT OK
+
+    x.map((elt, i, ary) => {
+        sink(elt); // NOT OK
+        sink(i); // OK
+        sink(ary); // NOT OK
+    });
+
+    x.forEach((elt, i, ary) => {
+        sink(elt); // NOT OK
+        sink(i); // OK
+        sink(ary); // NOT OK
+    });
+
+    sink(innocent.map(() => x)); // NOT OK
+    sink(x.map(x2 => x2)); // NOT OK
+
 }