[vulnerability][acl] ACL is skipped for tag function of template literals

[t2ym]

[vulnerability][acl] ACL is skipped for tag function of template literals

Root Cause

• Described in the issue title

Reproducible Code

tag`\template ${param} string`; // calls to tag is not hooked

Fix

• Transform tagged template literals into hooked function calls

__hook__(tag, null, 
  [((s,r)=>{s.raw=r; return s})(['\template ', ' string'], ['\\template ', ' string']), param], 
  __context__[0], 0);

• The 1st argument is an array of "cooked" template strings with "raw" property for "raw" template strings to support String.raw tag function

String.raw`C:\raw\path\to\file.js` === 'C:\\raw\\path\\to\\file.js'

• In a with clause, transform with hooked call to with-scoped variable

__hook__('w()', __with__, ['tag', 
  [((s,r)=>{s.raw=r; return s})(['\template ', ' string'], ['\\template ', ' string']),
    param], 
    (...args) => tag(...args), tag],
  __context__[0]);