Merge pull request #7082 from bmuskalla/filterOutputStream

Java: Model taint for `FilterOutputStream`

Author: Benjamin Muskalla

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -373,7 +373,11 @@ private predicate summaryModelCsv(string row) {
       "java.io;StringReader;false;StringReader;;;Argument[0];Argument[-1];taint",
       "java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];Argument[-1];taint",
       "java.io;BufferedReader;false;BufferedReader;;;Argument[0];Argument[-1];taint",
-      "java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint"
+      "java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint",
+      "java.io;OutputStream;true;write;(byte[]);;Argument[0];Argument[-1];taint",
+      "java.io;OutputStream;true;write;(byte[],int,int);;Argument[0];Argument[-1];taint",
+      "java.io;OutputStream;true;write;(int);;Argument[0];Argument[-1];taint",
+      "java.io;FilterOutputStream;true;FilterOutputStream;(OutputStream);;Argument[0];Argument[-1];taint"
     ]
 }
 

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -376,13 +376,6 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
  * `arg` is the index of the argument.
  */
 private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
-  exists(Method write |
-    method.overrides*(write) and
-    write.hasName("write") and
-    arg = 0 and
-    write.getDeclaringType().hasQualifiedName("java.io", "OutputStream")
-  )
-  or
   method.(TaintPreservingCallable).transfersTaint(arg, -1)
 }
 

java/ql/test/library-tests/dataflow/taint/A.java

@@ -72,4 +72,13 @@ void test6() {
     arrayWrite(taint(), b);
     sink(b);
   }
+
+  void testFilterOutputStream() throws IOException {
+    ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
+    bOutput.write(taint());
+    FilterOutputStream filterOutput = new FilterOutputStream(bOutput) {
+    };
+    sink(filterOutput);
+  }
+
 }

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -3,6 +3,7 @@
 | A.java:33:23:33:29 | taint(...) | A.java:34:10:34:27 | toByteArray(...) |
 | A.java:46:27:46:33 | taint(...) | A.java:47:10:47:30 | toByteArray(...) |
 | A.java:55:58:55:64 | taint(...) | A.java:61:10:61:16 | dh.data |
+| A.java:78:19:78:25 | taint(...) | A.java:81:10:81:21 | filterOutput |
 | B.java:15:21:15:27 | taint(...) | B.java:18:10:18:16 | aaaargs |
 | B.java:15:21:15:27 | taint(...) | B.java:21:10:21:10 | s |
 | B.java:15:21:15:27 | taint(...) | B.java:24:10:24:15 | concat |