Remove redundant method taint flow specifications

smowton · smowton · commit 8a78075d3d0c · 2021-08-02T14:30:31.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
@@ -71,24 +71,6 @@ class UnsafeReflectionConfig extends TaintTracking::Configuration {
     // Argument -> return of methods that look like `Object getInstance(Class c)`
     looksLikeInstantiateClassStep(pred, succ)
     or
-    // Argument -> return of BeanFactory.getBean
-    exists(MethodAccess ma, Method getBean, Expr argument |
-      getBean.hasQualifiedName("org.springframework.beans.factory", "BeanFactory", "getBean") and
-      (
-        ma.getMethod().overrides(getBean)
-        or
-        ma.getMethod() = getBean
-      ) and
-      argument = ma.getAnArgument() and
-      (
-        argument.getType() instanceof TypeString
-        or
-        argument.getType() instanceof TypeClass
-      ) and
-      pred.asExpr() = argument and
-      succ.asExpr() = ma
-    )
-    or
     // Qualifier -> return of Constructor.newInstance, Class.newInstance
     exists(NewInstance ni |
       ni.getQualifier() = pred.asExpr() and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll
@@ -52,9 +52,7 @@ predicate looksLikeInstantiateClassStep(DataFlow::Node fromNode, DataFlow::Node
     m = ma.getMethod() and arg = ma.getArgument(i)
   |
     m.getReturnType() instanceof TypeObject and
-    m.getName()
-        .toLowerCase()
-        .regexpMatch("instantiate|instance|create|make|getbean|instantiateclass") and
+    m.getName().toLowerCase().regexpMatch("instantiate|instance|create|make|getbean") and
     arg.getType() instanceof TypeClass and
     arg = fromNode.asExpr() and
     ma = toNode.asExpr()
