From 1b35c0b7c99d8fe4e71ff8c69ae50ee1c8494529 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:37:24 +0000
Subject: [PATCH] Data flow: Improve doc for defaultImplicitTaintRead.

---
 shared/dataflow/codeql/dataflow/TaintTracking.qll | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll
index b08f1e4af469..24aea44320e0 100644
--- a/shared/dataflow/codeql/dataflow/TaintTracking.qll
+++ b/shared/dataflow/codeql/dataflow/TaintTracking.qll
@@ -26,7 +26,11 @@ signature module InputSig<LocationSig Location, DF::InputSig<Location> Lang> {
 
   /**
    * Holds if taint flow configurations should allow implicit reads of `c` at sinks
-   * and inputs to additional taint steps.
+   * and inputs to additional taint steps defined in the flow `Config`.
+   *
+   * Note that this (deliberately) does not include at additional taint steps defined
+   * globally in `defaultAdditionalTaintStep`. These models are expected to be precise
+   * and therefore to not require implicit reads.
    */
   bindingset[node]
   predicate defaultImplicitTaintRead(Lang::Node node, Lang::ContentSet c);