Swift: Support local MaD steps in both dataflow and taintflow.

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -147,6 +147,8 @@ private module Cached {
     or
     // flow through `!`
     nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
+    or
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
   }
 
   /**
@@ -160,7 +162,10 @@ private module Cached {
 
   /** This is the local flow predicate that is exposed. */
   cached
-  predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) { localFlowStepCommon(nodeFrom, nodeTo) }
+  predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) {
+    localFlowStepCommon(nodeFrom, nodeTo) or
+    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
+  }
 
   cached
   newtype TContentSet = TSingletonContent(Content c)
@@ -489,6 +494,8 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = ref.getBase() and
     c.isSingleton(any(Content::FieldContent ct | ct.getField() = ref.getMember()))
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
 }
 
 predicate isLValue(Expr e) { any(AssignExpr assign).getDest() = e }

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

@@ -4,6 +4,7 @@ private import TaintTrackingPublic
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.CfgNodes
+private import FlowSummaryImpl as FlowSummaryImpl
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
@@ -57,6 +58,8 @@ private module Cached {
       nodeFrom.asExpr() = call.getAnArgument().getExpr() and
       nodeTo.asExpr() = call
     )
+    or
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, false)
   }
 
   /**