@@ -323,6 +323,8 @@ private import ArrayLibraries
323323 * Classes and predicates modelling various libraries that work on arrays or array-like structures.
324324 */
325325private module ArrayLibraries {
326+ private import DataFlow:: PseudoProperties
327+
326328 /**
327329 * Gets a call to `Array.from` or a polyfill implementing the same functionality.
328330 */
@@ -353,4 +355,38 @@ private module ArrayLibraries {
353355 )
354356 }
355357 }
358+
359+ /**
360+ * A call to a library that copies the elements of an array into another array.
361+ * E.g. `array-union` that creates a union of multiple arrays, or `array-uniq` that creates an array with unique elements.
362+ */
363+ DataFlow:: CallNode arrayCopyCall ( DataFlow:: Node array ) {
364+ result = API:: moduleImport ( [ "array-union" , "array-uniq" , "uniq" ] ) .getACall ( ) and
365+ array = result .getAnArgument ( )
366+ }
367+
368+ /**
369+ * A taint step for a library that copies the elements of an array into another array.
370+ */
371+ private class ArrayCopyTaint extends TaintTracking:: SharedTaintStep {
372+ override predicate step ( DataFlow:: Node pred , DataFlow:: Node succ ) {
373+ exists ( DataFlow:: CallNode call |
374+ call = arrayCopyCall ( pred ) and
375+ succ = call
376+ )
377+ }
378+ }
379+
380+ /**
381+ * A loadStoreStep for a library that copies the elements of an array into another array.
382+ */
383+ private class ArrayCopyLoadStore extends DataFlow:: SharedFlowStep {
384+ override predicate loadStoreStep ( DataFlow:: Node pred , DataFlow:: Node succ , string prop ) {
385+ exists ( DataFlow:: CallNode call |
386+ call = arrayCopyCall ( pred ) and
387+ succ = call and
388+ prop = arrayElement ( )
389+ )
390+ }
391+ }
356392}
0 commit comments