I'm trying to make a CodeQL query for the JMX/JNDI injection reported by GitHub security lab here: https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/

I have a working query but I don't understand what are the "default" additional flow step.

Without isAdditionalFlowStep the query does not find any result, so I added one for the getCluster method (clusterName is tainted):

image

At the end of the path there is this method sequence where jmxUrl is tainted :

image

The vulnerability lies in the connect method where the connector is tainted. But why is there a flow from jmxUrl -> JMXServiceURL constructor call -> newJMXConnector method call -> connector ?

I've also included this qll file that define additional taint steps but from my understanding this is not responsible for the previous flow: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/java/lib/ResearchMode.qll

So my question is why the taint is not propagated in getCluster but propagated in JMXServiceURL and newJMXConnector ? The only difference I see is that JMXServiceURL and newJMXConnector are defined in the JDK and getCluster is defined in my application.