github · GeekMasher · Jun 3, 2025 · asgerf · Jun 10, 2025 · asgerf
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for ClientRequest being part of the `client-response` threat model versus part of `response` threat model.
-* Added support for ClientRequest being part of the `client-response` threat model versus part of `response` threat model.
+* Responses from outgoing HTTP requests will now be included as taint sources when the `local` threat model is used.
-* Added support for ClientRequest being part of the `client-response` threat model versus part of `response` threat model.
+* Responses from outgoing HTTP requests will now be included as taint sources when the `local` threat model is used.
@@ -947,7 +947,7 @@ module ClientRequest {
   private class ClientRequestThreatModel extends ThreatModelSource::Range {
     ClientRequestThreatModel() { this = any(ClientRequest r).getAResponseDataNode() }
 
-    override string getThreatModel() { result = "response" }
+    override string getThreatModel() { result = "client-response" }
-    override string getThreatModel() { result = "client-response" }
+    override string getThreatModel() { result = ["response", "browser-response"] }
-    override string getThreatModel() { result = "client-response" }
+    override string getThreatModel() { result = ["response", "browser-response"] }
 
     override string getSourceType() { result = "HTTP response data" }
   }

diff --git a/shared/threat-models/change-notes/2025-06-03-client-response-threatmodel.md b/shared/threat-models/change-notes/2025-06-03-client-response-threatmodel.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Add support for `client-response` threat model.
diff --git a/shared/threat-models/ext/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml
@@ -18,6 +18,8 @@ extensions:
       - ["stdin", "local"]
       - ["file", "local"]
       - ["windows-registry", "local"]
+      # Client-side threat models for request responses.
+      - ["client-response", "local"]
-      - ["client-response", "local"]
+      - ["browser-response", "local"]
-      - ["client-response", "local"]
+      - ["browser-response", "local"]
 
       # Android threat models
       - ["android-external-storage-dir", "android"]