JS: Add type-tracking steps through callback args

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll

@@ -156,6 +156,14 @@ private module Cached {
         succ = fun.getAnInvocation()
       )
     )
+    or
+    // Add 'return' steps from callback arguments to callback parameters
+    exists(DataFlow::ParameterNode cbParam, DataFlow::FunctionNode cbFun, int i |
+      callStep(cbFun, cbParam) and
+      pred = cbParam.getAnInvocation().getArgument(i) and
+      succ = cbFun.getParameter(i) and
+      summary = ReturnStep()
+    )
   }
 }
 

javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected

@@ -41,6 +41,7 @@ connection
 | type tracker without call steps | tst.js:114:1:114:28 | getX({  ... on() }) |
 | type tracker without call steps | tst.js:114:11:114:25 | getConnection() |
 | type tracker without call steps | tst.js:118:12:118:26 | getConnection() |
+| type tracker without call steps | tst.js:120:21:120:24 | conn |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property MyApplication.namespace.connection | file://:0:0:0:0 | global access path |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |