PS: Add missing taint-flow and dataflow dispatch from models.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll

@@ -242,6 +242,12 @@ class AdditionalCallTarget extends Unit {
   abstract DataFlowCallable viableTarget(CfgNodes::ExprNodes::CallExprCfgNode call);
 }
 
+DataFlowCallable viableSourceCallable(DataFlowCall call) {
+  result.asCfgScope() = getTargetInstance(call.asCall())
+  or
+  result = any(AdditionalCallTarget t).viableTarget(call.asCall())
+}
+
 /** Holds if `call` may resolve to the returned summarized library method. */
 DataFlowCallable viableLibraryCallable(DataFlowCall call) {
   exists(LibraryCallable callable |
@@ -269,13 +275,13 @@ private module Cached {
   /** Gets a viable run-time target for the call `call`. */
   cached
   DataFlowCallable viableCallable(DataFlowCall call) {
-    result.asCfgScope() = getTargetInstance(call.asCall())
+    result = viableSourceCallable(call)
     or
-    result = any(AdditionalCallTarget t).viableTarget(call.asCall())
+    result = viableLibraryCallable(call)
   }
 
   cached
-  CfgScope getTarget(DataFlowCall call) { result = viableCallable(call).asCfgScope() }
+  CfgScope getTarget(DataFlowCall call) { result = viableSourceCallable(call).asCfgScope() }
 
   cached
   newtype TArgumentPosition =

powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowPrivate
 private import TaintTrackingPublic
 private import semmle.code.powershell.Cfg
 private import semmle.code.powershell.dataflow.DataFlow
+private import FlowSummaryImpl as FlowSummaryImpl
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
@@ -58,6 +59,16 @@ private module Cached {
       )
     ) and
     model = ""
+    or
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
+      nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
+  }
+
+  cached
+  predicate summaryThroughStepTaint(
+    DataFlow::Node arg, DataFlow::Node out, FlowSummaryImpl::Public::SummarizedCallable sc
+  ) {
+    FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(arg, out, sc)
   }
 
   /**
@@ -67,7 +78,10 @@ private module Cached {
   cached
   predicate localTaintStepCached(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     DataFlow::localFlowStep(nodeFrom, nodeTo) or
-    defaultAdditionalTaintStep(nodeFrom, nodeTo, _)
+    defaultAdditionalTaintStep(nodeFrom, nodeTo, _) or
+    // Simple flow through library code is included in the exposed local
+    // step relation, even though flow is technically inter-procedural
+    summaryThroughStepTaint(nodeFrom, nodeTo, _)
   }
 }