We now precisely track flow from positional arguments to splat
parameters, provided that splat arguments are not used and there are no
positional parameters after the splat parameter. For example, in this
case:
def f(x, y, *z); end
f(a, b, c, d)
we get flow from `c` to `z[0]` and `d` to `z[1]`.
We get false flow if there are positional parameters after the splat
parameter. For example in this case:
def g(x, y, *z, w); end
g(a, b, c, d)
we get flow from `d` to `z[0]` instead of `w`.
We also track flow in this case
def f(a, *b)
sink b[0]
end
f(1, *[taint, 2])
In cases where there are positional parameters after a splat parameter,
don't attempt to match the splat parameter to a splat argument. We need
more sophisticated modelling to handle these cases, which is future
work.
This models flow in the following case:
def foo(x, y)
sink x # 1
sink y # 2
end
args = [source 1, source 2]
foo(*args)
We do this by introducing a SynthSplatParameterNode which accepts
content from the splat argument, if one is given at the callsite.
From this node we add read steps to each positional parameter.
