JS: add a taint step for property projection

javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll

@@ -134,4 +134,22 @@ private class SimplePropertyProjection extends CustomPropertyProjection {
 
   override predicate isSingletonProjection() { singleton = true }
 
+}
+
+/**
+ * A taint step for a property projection.
+ */
+private class PropertyProjectionTaintStep extends TaintTracking::AdditionalTaintStep {
+
+  PropertyProjection projection;
+
+  PropertyProjectionTaintStep() {
+    projection = this
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    // reading from a tainted object yields a tainted result
+    this = succ and
+    pred = projection.getObject()
+  }
 }