PS: Make remote flow sources flow sources.

MathiasVP · MathiasVP · commit dcc127832ea6 · 2025-04-15T22:43:18.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll
@@ -6,16 +6,18 @@
 private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
 // Need to import since frameworks can extend `RemoteFlowSource::Range`
 private import semmle.code.powershell.Frameworks
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
 
 /**
  * A data flow source of remote user input.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RemoteFlowSource::Range` instead.
  */
-class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range {
-  /** Gets a string that describes the type of this remote flow source. */
-  string getSourceType() { result = super.getSourceType() }
+class RemoteFlowSource extends SourceNode instanceof RemoteFlowSource::Range {
+  override string getSourceType() { result = "remote flow source" }
+
+  override string getThreatModel() { result = "remote" }
 }
 
 /** Provides a class for modeling new sources of remote user input. */
@@ -31,3 +33,9 @@ module RemoteFlowSource {
     abstract string getSourceType();
   }
 }
+
+private class ExternalRemoteFlowSource extends RemoteFlowSource::Range {
+  ExternalRemoteFlowSource() { this = ModelOutput::getASourceNode("remote", _).asSource() }
+
+  override string getSourceType() { result = "remote flow" }
+}
