JS: Fix one case of missing handling of unknown array index

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll

@@ -1173,7 +1173,11 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     then
       c = ContentSet::arrayElement() and // unknown start index when not the first spread operator
       storeContent.isUnknownArrayElement()
-    else storeContent.asArrayIndex() = n + c.asArrayIndex()
+    else (
+      storeContent.asArrayIndex() = n + c.asArrayIndex()
+      or
+      storeContent.isUnknownArrayElement() and c.asSingleton() = storeContent
+    )
   )
   or
   exists(FlowSummaryNode parameter, ParameterPosition pos |

javascript/ql/test/library-tests/TripleDot/tst.js

@@ -153,10 +153,10 @@ function t14() {
 
 function t15() {
     function target(safe, x, y, ...rest) {
-        sink(safe); // $ SPURIOUS: hasTaintFlow=t15.1
-        sink(x); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
-        sink(y); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
-        sink(rest.pop()); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
+        sink(safe); // $ SPURIOUS: hasValueFlow=t15.1
+        sink(x); // $ hasValueFlow=t15.1
+        sink(y); // $ hasValueFlow=t15.1
+        sink(rest.pop()); // $ hasValueFlow=t15.1
         sink(rest); // $ hasTaintFlow=t15.1
     }
     const args = new Array(Math.floor(Math.random() * 10));