JavaScript: add test cases for new array steps

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected

@@ -21,6 +21,8 @@
 | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value |
 | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value |
 | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value |
+| tainted-array-steps.js:11:29:11:54 | ['publi ... in('/') | This path depends on $@. | tainted-array-steps.js:9:24:9:30 | req.url | a user-provided value |
+| tainted-array-steps.js:15:29:15:43 | parts.join('/') | This path depends on $@. | tainted-array-steps.js:9:24:9:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value |
 | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/tainted-array-steps.js

@@ -0,0 +1,18 @@
+var fs = require('fs'),
+    http = require('http'),
+    url = require('url'),
+    sanitize = require('sanitize-filename'),
+    pathModule = require('path')
+    ;
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  // BAD: taint is preserved
+  res.write(fs.readFileSync(['public', path].join('/')));
+  // BAD: taint is preserved
+  let parts = ['public', path];
+  parts = parts.map(x => x.toLowerCase());
+  res.write(fs.readFileSync(parts.join('/')));
+});
+
+server.listen();