Thank you for the link)
I followed the instructions but my extension doesn’t work.
In my example below,model is tainted but taint is not propagated further towardssorting:

    [ApiController]    public class DataController : ControllerBase    {        [HttpPost("/dangerous-smth")]        public IActionResult DangerousSmth([FromBody] SomeModel model)        {            var sorting = model.Sort;                 return Ok($"Received sort value: {sorting}");        }    }}

TheSort property is defined this way:

namespace TaintFlowDemo.Controllers{    public class SomeModel    {        private string sort_;        public string Sort        {            get { return sort_; }            set { sort_ = value; }        }    }

Into theqlpacks/codeql/csharp-queries/1.1.0/.codeql/libraries/codeql/csharp-all/5.1.3/ext/Test.model.yml file, I added this:

extensions:  - addsTo:      pack: codeql/csharp-all      extensible: summaryModel    data:     - ["TaintFlowDemo.Controllers", "SomeModel", False, "get_Sort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]    - ["TaintFlowDemo.Controllers", "SomeModel", False, "set_Sort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]

I also tried to move elements in the tuples around, but nothing works.
Or maybe thisyml extension is not enough to fix the flow?
Can you tell me why this doesn't work, please?

@smowton Would you tell me if there is any debug mechanism for testing yml extensibles in codeql? Or are there tests for existing extensibles?
The documentation doesn't seem to cover all possible variants which can be passed into the tuple.

Some suggestions / comments.

• The model forset_Sort looks incorrect. Try["TaintFlowDemo.Controllers", "SomeModel", False, "set_Sort", "", "", "Argument[0]", "Argument[this]", "value", "manual"]. Maybe consider changing the model to "taint" instead of "value" as well. Please note that such models "taint" the entire object (and not only the backing field), when taint/value is propagated intoArgument[this].
• If you want to debug data flow and models, I recommend creating a "partial" flow variant of your query (then it is easier to identify where data-flow "gets stuck").
• If you want to test models in isolation it is possible to do so via CodeQL tests (add a YAML file with the extensionsext.yml next to the test as donehere.