JS: Summarize functions in type tracking

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -107,6 +107,20 @@ module StepSummary {
       pred = DataFlow::globalAccessPathRootPseudoNode() and
       summary = LoadStep(name)
     )
+    or
+    // Summarize calls with flow directly from a parameter to a return.
+    exists(DataFlow::ParameterNode param, DataFlow::FunctionNode fun |
+      param.flowsTo(fun.getAReturn()) and
+      summary = LevelStep() and
+      if param = fun.getAParameter() then (
+        // Step from argument to call site.
+        argumentPassing(succ, pred, fun.getFunction(), param)
+      ) else (
+        // Step from captured parameter to local call sites
+        pred = param and
+        succ = fun.getAnInvocation()
+      )
+    )
   }
 }