Go: Add the SourceNode and ThreatModelFlowSource classes

Author: egregius313

go/ql/lib/semmle/go/security/FlowSources.qll

@@ -4,6 +4,7 @@
 
 import go
 private import semmle.go.dataflow.ExternalFlow as ExternalFlow
+private import codeql.threatmodels.ThreatModels
 
 /**
  * DEPRECATED: Use `RemoteFlowSource` instead.
@@ -31,12 +32,43 @@ module RemoteFlowSource {
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RemoteFlowSource` instead.
    */
-  abstract class Range extends DataFlow::Node { }
+  abstract class Range extends SourceNode {
+    override string getThreatModel() { result = "remote" }
+  }
 
   /**
    * A source of data that is controlled by an untrusted user.
    */
   class MaDRemoteSource extends Range {
     MaDRemoteSource() { ExternalFlow::sourceNode(this, "remote") }
+
+    override string getSourceType() { result = "external" }
+  }
+}
+
+/**
+ * A data flow source.
+ */
+abstract class SourceNode extends DataFlow::Node {
+  /**
+   * Gets a string that represents the source kind with respect to threat modeling.
+   */
+  abstract string getThreatModel();
+
+  /** Gets a string that describes the type of this flow source. */
+  abstract string getSourceType();
+}
+
+/**
+ * A class of data flow sources that respects the
+ * current threat model configuration.
+ */
+class ThreatModelFlowSource extends DataFlow::Node {
+  ThreatModelFlowSource() {
+    exists(string kind |
+      // Specific threat model.
+      currentThreatModel(kind) and
+      (this.(SourceNode).getThreatModel() = kind or ExternalFlow::sourceNode(this, kind))
+    )
   }
 }