use StringSplitCall in TaintedPath

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

@@ -97,23 +97,17 @@ module TaintedPath {
         )
       )
       or
+      // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
+      exists(StringSplitCall mcn | dst = mcn and mcn.getUnsplit() = src |
+        if mcn.getSplitAt() = "/"
+        then
+          srclabel.(Label::PosixPath).canContainDotDotSlash() and
+          dstlabel instanceof Label::SplitPath
+        else srclabel = dstlabel
+      )
+      or
       // array method calls of interest
       exists(DataFlow::MethodCallNode mcn, string name | dst = mcn and mcn.calls(src, name) |
-        // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
-        name = "split" and
-        (
-          if
-            exists(DataFlow::Node splitBy | splitBy = mcn.getArgument(0) |
-              splitBy.mayHaveStringValue("/") or
-              any(DataFlow::RegExpCreationNode reg | reg.getRoot().getAMatchedString() = "/")
-                  .flowsTo(splitBy)
-            )
-          then
-            srclabel.(Label::PosixPath).canContainDotDotSlash() and
-            dstlabel instanceof Label::SplitPath
-          else srclabel = dstlabel
-        )
-        or
         (
           name = "pop" or
           name = "shift"