JS: Fix the spurious flow

Author: asgerf

javascript/ql/lib/semmle/javascript/frameworks/SQL.qll

@@ -221,7 +221,10 @@ private module Postgres {
 
     /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */
     private DataFlow::Node getARawValue() {
-      result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1
+      result = this.getValues() and
+      this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1
+      not result instanceof DataFlow::ArrayCreationNode and
+      not result instanceof DataFlow::ObjectLiteralNode
       or
       exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() |
         result = values.getAPropertyWrite(this.getARawParameterName()).getRhs()

javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js

@@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => {
       req.params.id, // $ Alert
       req.params.name, // $ Alert
       req.params.foo, // OK - not using raw interpolation
-    ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements
+    ]
   });
   db.one({
     text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}',