C#: Add default (reverse update) taint step from implicit operator calls to their arguments.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

@@ -109,8 +109,25 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
   }
 }
 
+private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+  exists(Expr e | any(LocalTaintExprStepConfiguration x).hasExprPath(_, result, e, cfn) |
+    e.(OperatorCall).getTarget() instanceof ImplicitConversionOperator // Should only be implicit operator calls.
+  )
+}
+
+private ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+  result = getALastEvalNode(e)
+}
+
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
+  or
+  nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::ExprNode).getControlFlowNode() =
+    getPostUpdateReverseStep(nodeFrom
+          .(PostUpdateNode)
+          .getPreUpdateNode()
+          .(DataFlow::ExprNode)
+          .getControlFlowNode())
 }
 
 cached