JS: Manually prune data flow in prototype-pollution-utility

[asgerf]

Speeds up the prototype-pollution-utility query by pruning sinks much more aggressively.

To recap: a dynamic write base[key] = rhs potentially gives rise to three sinks (base, key, rhs). We must find a path to all three sinks for this write to be flagged. However, if one of the sinks is obviously not reachable from a source (e.g. it's a constant), the analysis will still try to find paths to the other sinks, even though they can never lead to an alert.

This PR prunes out dynamic writes by doing a bit of preliminary data flow. In particular, we check that

• key might come from a property enumeration and
• base might refer to Object.prototype, which requires flow from a dynamic property read whose key comes from a property enumeration.

In this pruning flow, we deliberately do not track flow out of returns because this simply doesn't happen in the cases we're looking for (but we do summarize functions).

Evaluation shows a moderate improvement and we even lose the pesky FP in jQuery.

[asgerf]

Looking at this again I realise I made the query depend on an internal API (argumentPassing). We should find a nice way to expose that.

[asgerf]

I've exposed the previously-internal argumentPassing as DataFlow::argumentPassingStep. It embodies a fairly general concept, so it seems innocent enough. (ping @max-schaefer)

I opted to keep it as a predicate without a receiver or return type as this minimises the chance for breaking changes later. In particular, the type of the invocation node may be loosened when adding flow from property writes into setters.

[esbena]

That is a nice surgical improvement.
All of my comments are requests for additional explanation-comments for the changes.