From aeda2d68f86c6828e4c217003dfd4add4bdcbb6d Mon Sep 17 00:00:00 2001
From: Max Schaefer <max@semmle.com>
Date: Mon, 2 Dec 2019 09:41:49 +0000
Subject: [PATCH] JavaScript: Introduce `localTaintStep` predicate.

It's sometimes useful for exploratory queries, and the other languages have it as well.
---
 javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll | 2 ++
 .../ql/src/semmle/javascript/dataflow/TaintTracking.qll   | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 74bcc428393..8b5aa371ee5 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1573,4 +1573,6 @@ module DataFlow {
   import Configuration
   import TrackedNodes
   import TypeTracking
+
+  predicate localTaintStep = TaintTracking::localTaintStep/2;
 }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
index c4106ffa17f..f7fed0263f9 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -885,4 +885,12 @@ module TaintTracking {
 
     override predicate appliesTo(Configuration cfg) { any() }
   }
+
+  /**
+   * Holds if taint propagates from `pred` to `succ` in one local (intra-procedural) step.
+   */
+  predicate localTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    DataFlow::localFlowStep(pred, succ) or
+    any(AdditionalTaintStep s).step(pred, succ)
+  }
 }