Restricted taint to array elements.

javascript/ql/lib/ext/underscore.string.model.yml

@@ -14,7 +14,7 @@ extensions:
       extensible: summaryModel
     data:
       - ["'underscore.string'", "Member[slugify,capitalize,decapitalize,clean,cleanDiacritics,swapCase,escapeHTML,unescapeHTML,wrap,dedent,reverse,pred,succ,titleize,camelize,classify,underscored,dasherize,humanize,trim,ltrim,rtrim,truncate,sprintf,strRight,strRightBack,strLeft,strLeftBack,stripTags,unquote,strip,lstrip,rstrip,camelcase]", "Argument[0]", "ReturnValue", "taint"]
-      - ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue", "taint"]
+      - ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue.ArrayElement", "taint"]
       - ["'underscore.string'", "Member[toSentence,toSentenceSerial]", "Argument[0].ArrayElement", "ReturnValue", "taint"]
       - ["'underscore.string'", "Member[insert,replaceAll,splice,prune,pad,lpad,rpad,repeat,rjust,ljust]", "Argument[0,2]", "ReturnValue", "taint"]
       - ["'underscore.string'", "Member[splice]", "Argument[0,3]", "ReturnValue", "taint"]

javascript/ql/test/library-tests/TripleDot/underscore.string.js

@@ -39,10 +39,11 @@ function strToStr() {
 }
 
 function strToArray() {
-  sink(s.chop(source("s1"), 3)[0]); // $ hasTaintFlow=s1
-  sink(s.chars(source("s2")[0])); // $ hasTaintFlow=s2
-  sink(s.words(source("s3")[0])); // $ hasTaintFlow=s3
-  sink(s.lines(source("s7")[0])); // $ hasTaintFlow=s7
+  sink(s.chop(source("s1"), 3)); // $ MISSING: hasTaintFlow=s1
+  sink(s.chars(source("s2")[0])); // $ MISSING: hasTaintFlow=s2
+  sink(s.words(source("s3")[0])); // $ MISSING: hasTaintFlow=s3
+  sink(s.lines(source("s7")[0])); // $ MISSING: hasTaintFlow=s7
+  sink(s.chop(source("s1"), 3).length);
 }
 
 function arrayToStr() {