js taint tracking libs - add `unescape` as taint propagator

[dsimk]

As far as I can tell unescape is not modeled as a string propagator in

codeql/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

Line 447 in 795a2e1

private class StringManipulationTaintStep extends SharedTaintStep {

I am curious if this is intended and if so, what is the reason for this given that decodeURIComponent is modeled as taint preserving.
Thanks!

[hvitved]

Seems reasonable to also include unescape; @github/codeql-javascript what do you think?

[Napalys]

Thanks for the report. You’re right, the unescape was overlooked. I’ve addressed the issue in this PR: #19009.
The fix will be included in CodeQL 2.21.0, which is set to release in early April.

[dsimk]

Hi @Napalys, thanks for the update. In this case one could also consider adding escape.

[Napalys]

Hey @DSimsek000, I’ve added support for escape as well—thanks again! You can check it out in PR: #19027. It should be included in the same release as previously mentioned.