Only capture taint from own fields

Also exclude `Charset` as relevant taint-carrying type. This is generally
what we want to lets us avoid tracking arguments that lead to FP.

Author: Benjamin Muskalla

java/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -16,7 +16,7 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {
   PropagateToSinkConfiguration() { this = "parameters or  flowing into sinks" }
 
   override predicate isSource(DataFlow::Node source) {
-    (source.asExpr() instanceof FieldAccess or source instanceof DataFlow::ParameterNode) and
+    (source.asExpr().(FieldAccess).isOwnFieldAccess() or source instanceof DataFlow::ParameterNode) and
     source.getEnclosingCallable().isPublic() and
     exists(RefType t |
       t = source.getEnclosingCallable().getDeclaringType().getAnAncestor() and

java/ql/src/utils/model-generator/CaptureSummaryModels.ql

@@ -190,8 +190,7 @@ class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNodeExt }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node2.asExpr().(ConstructorCall).getAnArgument() = node1.asExpr() and
-    node1.asExpr().(Argument).getCall().getCallee().fromSource()
+    node2.asExpr().(ConstructorCall).getAnArgument() = node1.asExpr()
   }
 }
 
@@ -261,6 +260,7 @@ predicate isRelevantType(Type t) {
   not t instanceof PrimitiveType and
   not t instanceof BoxedType and
   not t.(RefType).getAnAncestor().hasQualifiedName("java.lang", "Number") and
+  not t.(RefType).getAnAncestor().hasQualifiedName("java.nio.charset", "Charset") and
   (
     not t.(Array).getElementType() instanceof PrimitiveType or
     isPrimitiveTypeUsedForBulkData(t.(Array).getElementType())

java/ql/test/utils/model-generator/CaptureSummaryModels.expected

@@ -44,3 +44,4 @@
 | p;Pojo;false;getValue;();;Argument[-1];ReturnValue;taint |
 | p;Pojo;false;setValue;(String);;Argument[0];Argument[-1];taint |
 | p;PrivateFlowViaPublicInterface;true;createAnSPI;(File);;Argument[0];ReturnValue;taint |
+| p;PrivateFlowViaPublicInterface;true;createAnSPIWithoutTrackingFile;(File);;Argument[0];ReturnValue;taint |

java/ql/test/utils/model-generator/p/PrivateFlowViaPublicInterface.java

@@ -7,8 +7,15 @@
 
 public class PrivateFlowViaPublicInterface {
 
+    static class RandomPojo {
+        public File someFile = new File("someFile");
+    }
     public static interface SPI {
         OutputStream openStream() throws IOException;
+
+        default OutputStream openStreamNone() throws IOException {
+            return null;
+        };
     }
 
     private static final class PrivateImplWithSink implements SPI {
@@ -25,9 +32,30 @@ public OutputStream openStream() throws IOException {
         }
 
     }
+    
+    private static final class PrivateImplWithRandomField implements SPI {
+
+        public PrivateImplWithRandomField(File file) {
+        }
+
+        @Override
+        public OutputStream openStream() throws IOException {
+            return null;
+        }
+        
+        @Override
+        public OutputStream openStreamNone() throws IOException {
+            return new FileOutputStream(new RandomPojo().someFile);
+        }
+
+    }
 
     public static SPI createAnSPI(File file) {
         return new PrivateImplWithSink(file);
     }
+    
+    public static SPI createAnSPIWithoutTrackingFile(File file) {
+        return new PrivateImplWithRandomField(file);
+    }
 
 }