C#: Add CaptureSourceModel query.

csharp/ql/src/utils/model-generator/CaptureSourceModels.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Capture source models.
+ * @description Finds APIs that act as sources as they expose already known sources.
+ * @id csharp/utils/model-generator/sink-models
+ */
+
+private import ModelGeneratorUtils
+private import CaptureSourceModels
+
+from TargetApi api, string sink
+where sink = captureSource(api)
+select sink order by sink

csharp/ql/src/utils/model-generator/CaptureSourceModels.qll

@@ -0,0 +1,32 @@
+private import CaptureSourceModelsSpecific
+private import ModelGeneratorUtils
+
+class FromSourceConfiguration extends TaintTracking::Configuration {
+  FromSourceConfiguration() { this = "FromSourceConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(TargetApi c |
+      sink instanceof ReturnNodeExt and
+      sink.getEnclosingCallable() = c
+    )
+  }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSinkCallContext
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isRelevantTaintStep(node1, node2)
+  }
+}
+
+string captureSource(TargetApi api) {
+  exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
+    config.hasFlow(source, sink) and
+    sourceNode(source, kind) and
+    api = sink.getEnclosingCallable() and
+    result = asSourceModel(api, returnNodeAsOutput(sink), kind)
+  )
+}

csharp/ql/src/utils/model-generator/CaptureSourceModelsSpecific.qll

@@ -0,0 +1,4 @@
+import csharp
+import semmle.code.csharp.dataflow.TaintTracking
+import semmle.code.csharp.dataflow.ExternalFlow
+import semmle.code.csharp.dataflow.internal.DataFlowImplCommon