Integration with RemoteFlowSource is not straightforward, so postponing
that for later
Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)
However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
We need these to return the dominator instead of declaring it in the parameter list, so that we can use it directly to fulfill part of the signature for the SSA library.
We can't rewrite it with an inline predicate since the SSA module calls with a transitive closure '*', which does not permit inline predicates.
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.
This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:
x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
Array.prototype.shift only returns the first array element.
The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
This summary uses the notion of optional steps/barriers so it becomes configurable whether there is flow into the zero'th array element.
Also makes sure we handle the second-argument version of split().
OptionalStep[foo] and OptionalBarrier[foo] contribute steps/barriers that are not active by default, but can be opted into by specific queries or for specific flow states.
(Will be used in the following commits)
