JS: introduce Vue::InstanceHeapStep

javascript/ql/src/semmle/javascript/frameworks/Vue.qll

@@ -366,4 +366,26 @@ module Vue {
   class VueFile extends File {
     VueFile() { getExtension() = "vue" }
   }
+
+  /**
+   * A taint propagating data flow edge through a Vue instance property.
+   */
+  class InstanceHeapStep extends TaintTracking::AdditionalTaintStep {
+
+    DataFlow::Node src;
+
+    InstanceHeapStep() {
+      exists(Instance i, string name, DataFlow::FunctionNode bound |
+        bound.flowsTo(i.getABoundFunction()) and
+        not bound.getFunction() instanceof ArrowFunctionExpr and
+        bound.getReceiver().getAPropertyRead(name) = this and
+        src = i.getAPropertyValue(name)
+      )
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = src and succ = this
+    }
+  }
+
 }