We need these to return the dominator instead of declaring it in the parameter list, so that we can use it directly to fulfill part of the signature for the SSA library.
We can't rewrite it with an inline predicate since the SSA module calls with a transitive closure '*', which does not permit inline predicates.
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.
This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:
x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
Array.prototype.shift only returns the first array element.
The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
This summary uses the notion of optional steps/barriers so it becomes configurable whether there is flow into the zero'th array element.
Also makes sure we handle the second-argument version of split().
OptionalStep[foo] and OptionalBarrier[foo] contribute steps/barriers that are not active by default, but can be opted into by specific queries or for specific flow states.
(Will be used in the following commits)
For ContentSet it is ambiguous whether asArrayIndex() should get a singleton content set, or the KnownArrayElement content set. The user will now have to choose between asSingleton().asArrayIndex() or ContentSet::arrayElementKnown.
Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.
These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.
