[JAVA] What is the ThreatModelFlowSource?

[jiezhuzzz]

I'm using CodeQL to do dataflow analysis now, and I'm curious about the TreatModelFlowSource. It seems like that is the base class of all possible dataflow sources, but I cannot find any information about it. I would like to know where can I get some information about how CodeQL define a dataflow source. And if I write the following query:

 module MyFlowConfiguration implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) {
     source instanceof ThreatModelFlowSource
     }
 
     predicate isSink(DataFlow::Node sink) {
     any()
     }
 }

Is it possible to enumerate all data flows?

[michaelnebel]

Yes, ThreatModelFlowSource is a configurable set of sources used by most security queries. The default set of sources for ThreatModelFlowSource are remote flow sources. However, it is also possible to specify, if you want to include for instance local flow sources.
Documentation

• https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#threat-models-java
• https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data

[jiezhuzzz]

Hi Michael, thanks for your answer. I still don't know how CodeQL identifies all these sources. Is it by describing the behavior (qualifier names, method call) like other queries? And by selecting the ThreatModelFlowSource as a source in my taint analysis, is it possible to get all dataflow in my program? Thank you so much!

[michaelnebel]

The sources in ThreatModelFlowSource is defined as a combination of Models as Data and QL. Sources are "often" return values of a method (API) call.
An example:
In java.net.model.yml the following source model is defined:

["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]

This means that the return value of calling the method getInputStream (defined in the class Socket in the package java.net) is considered a remote source of input (which is included in the default threat model). Models as Data is documented here: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/

The dataflow library works by finding paths from sources to sinks. That is, the dataflow library only indentifies flow from the source and sink nodes defined in the configuration.

In the provided example code, you probably need to narrow the possible sink nodes and the data flow configuration in itself is not sufficient (the configuration needs to be used to instantiate either a dataflow or taint tracking module - maybe find inspiration in one of the existing security related queries)

[jiezhuzzz]

Got it. Thank you so much!