Move rest-pattern inside property-pattern step to a taint-step

Author: erik-krogh

javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll

@@ -318,7 +318,7 @@ module DataFlow {
   /**
    * A node in the data flow graph which corresponds to a `@property`.
    */
-  private class PropNode extends Node, TPropNode {
+  class PropNode extends Node, TPropNode {
     @property prop;
 
     PropNode() { this = TPropNode(prop) }
@@ -1347,11 +1347,6 @@ module DataFlow {
       succ = lvalueNode(pattern.getValuePattern())
     )
     or
-    exists(PropertyPattern pattern | 
-      pred = TPropNode(pattern) and
-      succ = lvalueNode(pattern.getValuePattern().(ObjectPattern).getRest())
-    )
-    or
     exists(Expr element |
       pred = TElementPatternNode(_, element) and
       succ = lvalueNode(element)

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -267,6 +267,12 @@ module TaintTracking {
       pred = DataFlow::valueNode(fos.getIterationDomain()) and
       succ = DataFlow::lvalueNode(fos.getLValue())
     )
+    or
+    // rest-pattern inside a propety pattern. E.g. from `foo:..` to `args` in `const {foo: {...args}} = something()`.
+    exists(PropertyPattern pattern |
+      pred.(DataFlow::PropNode).getAstNode() = pattern and
+      succ = DataFlow::lvalueNode(pattern.getValuePattern().(ObjectPattern).getRest())
+    )
   }
 
   /**