Added taint step for toSpliced, handles test from a65f80ef76

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -86,7 +86,7 @@ module ArrayTaintTracking {
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
     // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
-    call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice", "at"]) and
+    call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice", "at", "toSpliced"]) and
     succ = call
     or
     // `e = Array.from(x)`: if `x` is tainted, then so is `e`.

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -234,6 +234,7 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
 | tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |
 | tst.js:2:13:2:20 | source() | tst.js:61:10:61:20 | x.reverse() |
+| tst.js:2:13:2:20 | source() | tst.js:62:10:62:22 | x.toSpliced() |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -59,5 +59,5 @@ function test() {
     tagged`foo ${"safe"} bar ${x} baz`;
 
     sink(x.reverse()); // NOT OK
-    sink(x.toSpliced()); // NOT OK -- Should be caught, but it is not
+    sink(x.toSpliced()); // NOT OK
 }