github
diff --git a/‎javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
+1-1Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
Copy file name to clipboardExpand all lines: javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+3-1Lines changed: 3 additions & 1 deletion b/‎javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
Copy file name to clipboardExpand all lines: javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+3-1Lines changed: 3 additions & 1 deletion
diff --git a/‎javascript/ql/test/library-tests/TaintTracking/use-use-after-implicit-read.js
Copy file name to clipboardExpand all lines: javascript/ql/test/library-tests/TaintTracking/use-use-after-implicit-read.js
+2-2Lines changed: 2 additions & 2 deletions b/‎javascript/ql/test/library-tests/TaintTracking/use-use-after-implicit-read.js
Copy file name to clipboardExpand all lines: javascript/ql/test/library-tests/TaintTracking/use-use-after-implicit-read.js
+2-2Lines changed: 2 additions & 2 deletions
@@ -61,5 +61,5 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {
 bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, ContentSet c) {
   exists(node) and
-  c = ContentSet::promiseValue()
+  c = [ContentSet::promiseValue(), ContentSet::arrayElement()]
 }
@@ -32,8 +32,8 @@ legacyDataFlowDifference
 | object-bypass-sanitizer.js:35:29:35:36 | source() | object-bypass-sanitizer.js:28:10:28:30 | sanitiz ... bj).foo | only flow with OLD data flow library |
 | promise.js:12:20:12:27 | source() | promise.js:13:8:13:23 | resolver.promise | only flow with OLD data flow library |
 | sanitizer-guards.js:57:11:57:18 | source() | sanitizer-guards.js:64:8:64:8 | x | only flow with NEW data flow library |
-| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured | only flow with OLD data flow library |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
+| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:16:10:16:10 | y | only flow with NEW data flow library |
 consistencyIssue
 | library-tests/TaintTracking/nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
 | library-tests/TaintTracking/stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
@@ -291,7 +291,9 @@ flow
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
 | tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |
+| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
+| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:16:10:16:10 | y |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
 
@@ -5,13 +5,13 @@ function f(x) {
     function inner() { captured; captured = "sdf"; }
 
     captured = [source(), "safe", x];
-    sink(captured); // NOT OK [INCONSISTENCY] - no implicit read of ArrayElement
+    sink(captured); // NOT OK - implicit read of ArrayElement
     g.apply(undefined, captured); // with use-use flow the output of an implicit read might flow here
 
     return captured;
 }
 
 function g(x, y) {
     sink(x); // NOT OK
-    sink(y); // OK
+    sink(y); // OK [INCONSISTENCY] - implicit read confuses array index
 }
Original file line number	Diff line number	Diff line change
`@@ -61,5 +61,5 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {`
`61`	`61`	`bindingset[node]`
`62`	`62`	`predicate defaultImplicitTaintRead(DataFlow::Node node, ContentSet c) {`
`63`	`63`	`exists(node) and`
`64`		`- c = ContentSet::promiseValue()`
	`64`	`+ c = [ContentSet::promiseValue(), ContentSet::arrayElement()]`
`65`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,13 +5,13 @@ function f(x) {`
`5`	`5`	`function inner() { captured; captured = "sdf"; }`
`6`	`6`
`7`	`7`	`captured = [source(), "safe", x];`
`8`		`- sink(captured); // NOT OK [INCONSISTENCY] - no implicit read of ArrayElement`
	`8`	`+ sink(captured); // NOT OK - implicit read of ArrayElement`
`9`	`9`	`g.apply(undefined, captured); // with use-use flow the output of an implicit read might flow here`
`10`	`10`
`11`	`11`	`return captured;`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`function g(x, y) {`
`15`	`15`	`sink(x); // NOT OK`
`16`		`- sink(y); // OK`
	`16`	`+ sink(y); // OK [INCONSISTENCY] - implicit read confuses array index`
`17`	`17`	`}`