Merge pull request #6253 from asgerf/js/more-precise-capture-steps

Approved by erik-krogh

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -34,6 +34,8 @@ typeInferenceMismatch
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
+| capture-flow.js:9:11:9:18 | source() | capture-flow.js:19:6:19:16 | outerMost() |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:31:6:31:22 | confuse(source()) |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | case.js:2:16:2:23 | source() | case.js:5:8:5:35 | changeC ... source) |
 | case.js:2:16:2:23 | source() | case.js:8:8:8:24 | camelCase(source) |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -24,6 +24,8 @@
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
+| capture-flow.js:9:11:9:18 | source() | capture-flow.js:19:6:19:16 | outerMost() |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:31:6:31:22 | confuse(source()) |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |

javascript/ql/test/library-tests/TaintTracking/capture-flow.js

@@ -16,4 +16,16 @@ function outerMost() {
     return outer();
 }
 
-sink(outerMost()); // NOT OK - but missed
+sink(outerMost()); // NOT OK
+
+function confuse(x) {
+    let captured;
+    function f() {
+        captured = x;
+    }
+    f();
+    return captured;
+}
+
+sink(confuse('safe')); // OK
+sink(confuse(source())); // NOT OK