JS: model property projection calls

[ghost]

This PR adds a taint step for property reads done through calls that projects selected properties of an object.

The property projections that have been modeled have slightly different features. So I have adopted @asger-semmle's extensible architecture proposal immediately. We may want to discuss how we generally document the intended usage of the architecture, I have simply added an explanation to the module docstring for now.

This PR only makes use of the object-argument in the models.

For the record, the libraries support various features for the selector-argument:

• access path strings like 'a.b[42].c'
• access path arrays like ['a', 'b', 42, 'c']
• search strings like 'a.\*.c'
• property predicate functions

We can consider implementing support for these once our general heap treatment is better.

An evaluation with the security suite on big-apps.slugs flags nothing new, and it does not have a significant performance impact (internal link).

[xiemaisi]

Indentation.

[xiemaisi]

Here and below: these comments could do with examples of what is being modelled.

[xiemaisi]

This is particularly arcane; please explain more carefully and add an example.

[ghost]

Comments addressed.

[ghost]

Squashed the fixups.

[xiemaisi]

LGTM

[xiemaisi]

The tests actually seem to have succeeded, but the status didn't propagate (@pavel). Merging.

[xiemaisi]

@esben-semmle, this PR seems to have been left behind when creating https://github.com/Semmle/ql/tree/rc/1.18. Could you open a PR to cherry-pick the commits across? Same for #115.

[pavel]

@xiemaisi Thanks for notifying me, but it does not seem that I'm involved in this project in any way.

https://blog.github.com/2011-03-23-mention-somebody-they-re-notified/

[xiemaisi]

Oops, sorry, wrong Pavel... (It's a great project, though! 😄)