Fix interaction between defaultAdditionalTaintStep and defaultImplicitTaintRead

javascript/ql/test/library-tests/Promises/tests.expected

@@ -275,6 +275,10 @@ flow
 | flow.js:136:15:136:22 | "source" | flow.js:155:9:155:9 | e |
 exclusiveTaintFlow
 | flow2.js:2:15:2:22 | "source" | flow2.js:5:8:5:10 | arr |
+| flow2.js:2:15:2:22 | "source" | flow2.js:7:8:7:13 | arr[1] |
+| flow2.js:2:15:2:22 | "source" | flow2.js:11:7:11:11 | clean |
+| flow2.js:2:15:2:22 | "source" | flow2.js:15:7:15:12 | clean2 |
+| flow2.js:2:15:2:22 | "source" | flow2.js:19:7:19:12 | clean3 |
 | flow.js:136:15:136:22 | "source" | flow.js:141:7:141:13 | async() |
 | flow.js:160:15:160:22 | "source" | flow.js:164:39:164:39 | x |
 | flow.js:160:15:160:22 | "source" | flow.js:167:7:167:9 | foo |
@@ -468,3 +472,7 @@ valueFlowDifference
 | flow2.js:2:15:2:22 | "source" | flow2.js:20:7:20:14 | tainted3 | only flow with NEW data flow library |
 taintFlowDifference
 | flow2.js:2:15:2:22 | "source" | flow2.js:5:8:5:10 | arr | only flow with NEW data flow library |
+| flow2.js:2:15:2:22 | "source" | flow2.js:7:8:7:13 | arr[1] | only flow with NEW data flow library |
+| flow2.js:2:15:2:22 | "source" | flow2.js:11:7:11:11 | clean | only flow with NEW data flow library |
+| flow2.js:2:15:2:22 | "source" | flow2.js:15:7:15:12 | clean2 | only flow with NEW data flow library |
+| flow2.js:2:15:2:22 | "source" | flow2.js:19:7:19:12 | clean3 | only flow with NEW data flow library |

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,15 +1,9 @@
 legacyDataFlowDifference
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] | only flow with OLD data flow library |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:33:8:33:13 | arr[0] | only flow with OLD data flow library |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:35:8:35:13 | arr[2] | only flow with OLD data flow library |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:36:8:36:13 | arr[3] | only flow with OLD data flow library |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:37:8:37:13 | arr[4] | only flow with OLD data flow library |
 | bound-function.js:27:8:27:15 | source() | bound-function.js:30:10:30:10 | y | only flow with OLD data flow library |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:24:8:24:11 | arg1 | only flow with NEW data flow library |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:32:6:32:35 | foo1.ap ... e, ""]) | only flow with NEW data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:33:6:33:35 | foo2.ap ... e, ""]) | only flow with NEW data flow library |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:34:6:34:29 | foo1_ap ... e, ""]) | only flow with NEW data flow library |
-| call-apply.js:27:14:27:21 | source() | call-apply.js:41:6:41:28 | foo1_ca ... ource]) | only flow with OLD data flow library |
-| call-apply.js:27:14:27:21 | source() | call-apply.js:59:10:59:21 | arguments[1] | only flow with OLD data flow library |
 | call-apply.js:45:8:45:15 | source() | call-apply.js:55:6:55:13 | foo(obj) | only flow with NEW data flow library |
 | callbacks.js:37:17:37:24 | source() | callbacks.js:38:35:38:35 | x | only flow with NEW data flow library |
 | callbacks.js:37:17:37:24 | source() | callbacks.js:41:10:41:10 | x | only flow with NEW data flow library |
@@ -32,14 +26,28 @@ legacyDataFlowDifference
 | object-bypass-sanitizer.js:35:29:35:36 | source() | object-bypass-sanitizer.js:28:10:28:30 | sanitiz ... bj).foo | only flow with OLD data flow library |
 | promise.js:12:20:12:27 | source() | promise.js:13:8:13:23 | resolver.promise | only flow with OLD data flow library |
 | sanitizer-guards.js:57:11:57:18 | source() | sanitizer-guards.js:64:8:64:8 | x | only flow with NEW data flow library |
+| spread.js:4:15:4:22 | source() | spread.js:17:8:17:8 | x | only flow with NEW data flow library |
 | spread.js:4:15:4:22 | source() | spread.js:18:8:18:8 | y | only flow with NEW data flow library |
+| spread.js:4:15:4:22 | source() | spread.js:19:8:19:8 | z | only flow with NEW data flow library |
+| spread.js:4:15:4:22 | source() | spread.js:23:8:23:8 | x | only flow with NEW data flow library |
 | spread.js:4:15:4:22 | source() | spread.js:24:8:24:8 | y | only flow with NEW data flow library |
+| spread.js:4:15:4:22 | source() | spread.js:25:8:25:8 | z | only flow with NEW data flow library |
 | tst.js:2:13:2:20 | source() | tst.js:17:10:17:10 | a | only flow with OLD data flow library |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
+| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:16:10:16:10 | y | only flow with NEW data flow library |
 consistencyIssue
+| arrays-init.js:27 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| arrays-init.js:33 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| arrays-init.js:35 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| arrays-init.js:36 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| arrays-init.js:37 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| call-apply.js:33 | did not expect an alert, but found an alert | OK | Consistency |
+| call-apply.js:41 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
+| call-apply.js:59 | did not expect an alert, but found an alert for LegacyConfig | OK | Consistency |
 | nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
 | stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
 | stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
+| use-use-after-implicit-read.js:16 | did not expect an alert, but found an alert | OK | Consistency |
 flow
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -59,8 +67,13 @@ flow
 | array-mutation.js:75:28:75:35 | source() | array-mutation.js:76:8:76:8 | r |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:28:8:28:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:33:8:33:13 | arr[0] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:34:8:34:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:35:8:35:13 | arr[2] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:36:8:36:13 | arr[3] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:37:8:37:13 | arr[4] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:38:8:38:13 | arr[5] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:43:10:43:15 | arr[i] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:55:10:55:15 | arr[i] |
@@ -83,8 +96,11 @@ flow
 | call-apply.js:27:14:27:21 | source() | call-apply.js:24:8:24:11 | arg1 |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:29:6:29:32 | foo1.ca ... ce, "") |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:32:6:32:35 | foo1.ap ... e, ""]) |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:33:6:33:35 | foo2.ap ... e, ""]) |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:34:6:34:29 | foo1_ap ... e, ""]) |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:40:6:40:28 | foo1_ca ... e, ""]) |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:41:6:41:28 | foo1_ca ... ource]) |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:59:10:59:21 | arguments[1] |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:62:10:62:21 | arguments[0] |
 | call-apply.js:45:8:45:15 | source() | call-apply.js:55:6:55:13 | foo(obj) |
 | call-apply.js:81:17:81:24 | source() | call-apply.js:78:8:78:11 | this |
@@ -263,8 +279,12 @@ flow
 | spread.js:4:15:4:22 | source() | spread.js:7:8:7:43 | { f: 'h ... orld' } |
 | spread.js:4:15:4:22 | source() | spread.js:9:8:9:19 | [ ...taint ] |
 | spread.js:4:15:4:22 | source() | spread.js:10:8:10:28 | [ 1, 2, ... nt, 3 ] |
+| spread.js:4:15:4:22 | source() | spread.js:17:8:17:8 | x |
 | spread.js:4:15:4:22 | source() | spread.js:18:8:18:8 | y |
+| spread.js:4:15:4:22 | source() | spread.js:19:8:19:8 | z |
+| spread.js:4:15:4:22 | source() | spread.js:23:8:23:8 | x |
 | spread.js:4:15:4:22 | source() | spread.js:24:8:24:8 | y |
+| spread.js:4:15:4:22 | source() | spread.js:25:8:25:8 | z |
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:5:14:5:22 | RegExp.$1 |
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:15:14:15:22 | RegExp.$1 |
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:17:14:17:22 | RegExp.$1 |
@@ -326,6 +346,7 @@ flow
 | tst.js:93:22:93:29 | source() | tst.js:97:14:97:26 | map.get(true) |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
+| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:16:10:16:10 | y |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |

javascript/ql/test/library-tests/TaintedUrlSuffix/tst.js

@@ -8,12 +8,12 @@ function t1() {
     sink(href.split('#')[0]); // could be 'tainted-url-suffix', but omitted due to FPs from URI-encoding
     sink(href.split('#')[1]); // $ flow=taint
     sink(href.split('#').pop()); // $ flow=taint
-    sink(href.split('#')[2]); // $ MISSING: flow=taint // currently the split() summary only propagates to index 1
+    sink(href.split('#')[2]); // $ flow=taint // currently the split() summary only propagates to index 1
 
     sink(href.split('?')[0]);
     sink(href.split('?')[1]); // $ flow=taint
     sink(href.split('?').pop()); // $ flow=taint
-    sink(href.split('?')[2]); // $ MISSING: flow=taint
+    sink(href.split('?')[2]); // $ flow=taint
 
     sink(href.split(blah())[0]); // $ flow=tainted-url-suffix
     sink(href.split(blah())[1]); // $ flow=tainted-url-suffix

javascript/ql/test/library-tests/TripleDot/arrays.js

@@ -2,8 +2,8 @@ import 'dummy';
 
 function shiftKnown() {
     let array = [source('shift.1'), source('shift.2')];
-    sink(array.shift()); // $ hasValueFlow=shift.1
-    sink(array.shift()); // $ SPURIOUS: hasValueFlow=shift.1 MISSING: hasValueFlow=shift.2
+    sink(array.shift()); // $ hasValueFlow=shift.1 SPURIOUS: hasTaintFlow=shift.2
+    sink(array.shift()); // $ SPURIOUS: hasValueFlow=shift.1 hasTaintFlow=shift.2 MISSING: hasValueFlow=shift.2
 }
 
 function shiftUnknown() {

javascript/ql/test/library-tests/TripleDot/tst.js

@@ -2,8 +2,8 @@ import 'dummy';
 
 function t1() {
     function target(...rest) {
-        sink(rest[0]); // $ hasValueFlow=t1.1
-        sink(rest[1]); // $ hasValueFlow=t1.2
+        sink(rest[0]); // $ hasValueFlow=t1.1 SPURIOUS: hasTaintFlow=t1.2
+        sink(rest[1]); // $ hasValueFlow=t1.2 SPURIOUS: hasTaintFlow=t1.1
         sink(rest.join(',')); // $ hasTaintFlow=t1.1 hasTaintFlow=t1.2
     }
     target(source('t1.1'), source('t1.2'));
@@ -19,9 +19,9 @@ function t2() {
 
 function t3() {
     function finalTarget(x, y, z) {
-        sink(x); // $ hasValueFlow=t3.1
-        sink(y); // $ hasValueFlow=t3.2
-        sink(z); // $ hasValueFlow=t3.3
+        sink(x); // $ hasValueFlow=t3.1 SPURIOUS: hasTaintFlow=t3.2 hasTaintFlow=t3.3
+        sink(y); // $ hasValueFlow=t3.2 SPURIOUS: hasTaintFlow=t3.1 hasTaintFlow=t3.3
+        sink(z); // $ hasValueFlow=t3.3 SPURIOUS: hasTaintFlow=t3.1 hasTaintFlow=t3.2
     }
     function target(...rest) {
         finalTarget(...rest);
@@ -31,10 +31,10 @@ function t3() {
 
 function t4() {
     function finalTarget(w, x, y, z) {
-        sink(w); // $ hasValueFlow=t4.0
-        sink(x); // $ hasValueFlow=t4.1
-        sink(y); // $ hasValueFlow=t4.2
-        sink(z); // $ hasValueFlow=t4.3
+        sink(w); // $ hasValueFlow=t4.0 SPURIOUS: hasTaintFlow=t4.1 hasTaintFlow=t4.2 hasTaintFlow=t4.3
+        sink(x); // $ hasValueFlow=t4.1 SPURIOUS: hasTaintFlow=t4.2 hasTaintFlow=t4.3
+        sink(y); // $ hasValueFlow=t4.2 SPURIOUS: hasTaintFlow=t4.1 hasTaintFlow=t4.3
+        sink(z); // $ hasValueFlow=t4.3 SPURIOUS: hasTaintFlow=t4.1 hasTaintFlow=t4.2
     }
     function target(...rest) {
         finalTarget(source('t4.0'), ...rest);
@@ -44,10 +44,10 @@ function t4() {
 
 function t5() {
     function finalTarget(w, x, y, z) {
-        sink(w); // $ hasValueFlow=t5.0
-        sink(x); // $ hasValueFlow=t5.1
-        sink(y); // $ hasValueFlow=t5.2
-        sink(z); // $ hasValueFlow=t5.3
+        sink(w); // $ hasValueFlow=t5.0 SPURIOUS: hasTaintFlow=t5.1 hasTaintFlow=t5.2 hasTaintFlow=t5.3
+        sink(x); // $ hasValueFlow=t5.1 SPURIOUS: hasTaintFlow=t5.2 hasTaintFlow=t5.3
+        sink(y); // $ hasValueFlow=t5.2 SPURIOUS: hasTaintFlow=t5.1 hasTaintFlow=t5.3
+        sink(z); // $ hasValueFlow=t5.3 SPURIOUS: hasTaintFlow=t5.1 hasTaintFlow=t5.2
     }
     function target(array) {
         finalTarget(source('t5.0'), ...array);
@@ -58,18 +58,18 @@ function t5() {
 function t6() {
     function target(x) {
         sink(x); // $ hasValueFlow=t6.1
-        sink(arguments[0]);// $ hasValueFlow=t6.1
-        sink(arguments[1]);// $ hasValueFlow=t6.2
-        sink(arguments[2]);// $ hasValueFlow=t6.3
+        sink(arguments[0]);// $ hasValueFlow=t6.1 SPURIOUS: hasTaintFlow=t6.2 hasTaintFlow=t6.3
+        sink(arguments[1]);// $ hasValueFlow=t6.2 SPURIOUS: hasTaintFlow=t6.1 hasTaintFlow=t6.3
+        sink(arguments[2]);// $ hasValueFlow=t6.3 SPURIOUS: hasTaintFlow=t6.1 hasTaintFlow=t6.2
     }
     target(source('t6.1'), source('t6.2'), source('t6.3'));
 }
 
 function t7() {
     function finalTarget(x, y, z) {
-        sink(x); // $ hasValueFlow=t7.1
-        sink(y); // $ hasValueFlow=t7.2
-        sink(z); // $ hasValueFlow=t7.3
+        sink(x); // $ hasValueFlow=t7.1 SPURIOUS: hasTaintFlow=t7.2 hasTaintFlow=t7.3
+        sink(y); // $ hasValueFlow=t7.2 SPURIOUS: hasTaintFlow=t7.1 hasTaintFlow=t7.3
+        sink(z); // $ hasValueFlow=t7.3 SPURIOUS: hasTaintFlow=t7.1 hasTaintFlow=t7.2
     }
     function target() {
         finalTarget(...arguments);
@@ -79,9 +79,9 @@ function t7() {
 
 function t8() {
     function finalTarget(x, y, z) {
-        sink(x); // $ hasValueFlow=t8.1 SPURIOUS: hasValueFlow=t8.3 hasValueFlow=t8.4
-        sink(y); // $ hasValueFlow=t8.2 SPURIOUS: hasValueFlow=t8.3 hasValueFlow=t8.4
-        sink(z); // $ hasValueFlow=t8.3 SPURIOUS: hasValueFlow=t8.3 hasValueFlow=t8.4
+        sink(x); // $ hasValueFlow=t8.1 SPURIOUS: hasTaintFlow=t8.2 hasValueFlow=t8.3 hasValueFlow=t8.4
+        sink(y); // $ hasValueFlow=t8.2 SPURIOUS: hasTaintFlow=t8.1 hasValueFlow=t8.3 hasValueFlow=t8.4
+        sink(z); // $ hasValueFlow=t8.3 SPURIOUS: hasTaintFlow=t8.1 hasTaintFlow=t8.2 hasValueFlow=t8.3 hasValueFlow=t8.4
     }
     function target(array1, array2) {
         finalTarget(...array1, ...array2);
@@ -91,9 +91,9 @@ function t8() {
 
 function t9() {
     function finalTarget(x, y, z) {
-        sink(x); // $ hasValueFlow=t9.1
-        sink(y); // $ hasValueFlow=t9.2
-        sink(z); // $ hasValueFlow=t9.3
+        sink(x); // $ hasValueFlow=t9.1 SPURIOUS: hasTaintFlow=t9.2 hasTaintFlow=t9.3
+        sink(y); // $ hasValueFlow=t9.2 SPURIOUS: hasTaintFlow=t9.1 hasTaintFlow=t9.3
+        sink(z); // $ hasValueFlow=t9.3 SPURIOUS: hasTaintFlow=t9.1 hasTaintFlow=t9.2
     }
     function target() {
         finalTarget.apply(undefined, arguments);
@@ -103,9 +103,9 @@ function t9() {
 
 function t10() {
     function finalTarget(x, y, z) {
-        sink(x); // $ hasValueFlow=t10.1
-        sink(y); // $ hasValueFlow=t10.2
-        sink(z); // $ hasValueFlow=t10.3
+        sink(x); // $ hasValueFlow=t10.1 SPURIOUS: hasTaintFlow=t10.2 hasTaintFlow=t10.3
+        sink(y); // $ hasValueFlow=t10.2 SPURIOUS: hasTaintFlow=t10.1 hasTaintFlow=t10.3
+        sink(z); // $ hasValueFlow=t10.3 SPURIOUS: hasTaintFlow=t10.1 hasTaintFlow=t10.2
     }
     function target(...rest) {
         finalTarget.apply(undefined, rest);

javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected

@@ -1,10 +1,10 @@
 legacyDataFlowDifference
-| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item | only flow with OLD data flow library |
-| map.js:10:13:10:20 | source() | map.js:12:14:12:17 | item | only flow with OLD data flow library |
-| map.js:26:13:26:20 | source() | map.js:28:27:28:32 | result | only flow with OLD data flow library |
-| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result | only flow with OLD data flow library |
 #select
+| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item |
+| map.js:10:13:10:20 | source() | map.js:12:14:12:17 | item |
 | map.js:20:19:20:26 | source() | map.js:23:27:23:32 | result |
+| map.js:26:13:26:20 | source() | map.js:28:27:28:32 | result |
+| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result |
 | waterfall.js:8:30:8:37 | source() | waterfall.js:11:12:11:16 | taint |
 | waterfall.js:8:30:8:37 | source() | waterfall.js:20:10:20:14 | taint |
 | waterfall.js:28:18:28:25 | source() | waterfall.js:39:10:39:12 | err |