What are the "default" additional flow step for queries ?

[hugo-syn]

I'm trying to make a CodeQL query for the JMX/JNDI injection reported by GitHub security lab here: https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/

I have a working query but I don't understand what are the "default" additional flow step.

Without isAdditionalFlowStep the query does not find any result, so I added one for the getCluster method (clusterName is tainted):

At the end of the path there is this method sequence where jmxUrl is tainted :

The vulnerability lies in the connect method where the connector is tainted. But why is there a flow from jmxUrl -> JMXServiceURL constructor call -> newJMXConnector method call -> connector ?

I've also included this qll file that define additional taint steps but from my understanding this is not responsible for the previous flow: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/java/lib/ResearchMode.qll

So my question is why the taint is not propagated in getCluster but propagated in JMXServiceURL and newJMXConnector ? The only difference I see is that JMXServiceURL and newJMXConnector are defined in the JDK and getCluster is defined in my application.

[aibaars]

The CodeQL libraries contain models for many classes and methods from common libraries and frameworks, including things like newJMXConnector. See: https://github.com/search?q=repo%3Agithub%2Fcodeql%20%2FnewJMXConnector%2F&type=code

I would have expected CodeQL to track flow through methods defined in your application. However, flow may not be found in case of intermediate steps through external methods and classes that have not been modelled. Another reason could be that your code contains a pattern that is not handled properly by the CodeQL analyzer.

[hugo-syn]

Alright thank you very much for this answer !