Java: treat Stack.push as data flow instead of taint flow

aibaars · aibaars · commit b1e604b490e6 · 2020-07-13T11:36:34.000+02:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -270,9 +270,6 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
  * `arg`th argument is tainted.
  */
 private predicate taintPreservingArgumentToMethod(Method method, int arg) {
-  // java.util.Stack
-  method.(CollectionMethod).hasName("push") and arg = 0
-  or
   method.getDeclaringType().hasQualifiedName("java.util", "Collections") and
   (
     method
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -413,6 +413,18 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
       m.hasName("toString") and node1.asExpr() = ma.getArgument(1)
     )
   )
+  or
+  exists(MethodAccess ma, Method m |
+    ma = node2.asExpr() and
+    m = ma.getMethod() and
+    m
+        .getDeclaringType()
+        .getSourceDeclaration()
+        .getASourceSupertype*()
+        .hasQualifiedName("java.util", "Stack") and
+    m.hasName("push") and
+    node1.asExpr() = ma.getArgument(0)
+  )
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -413,6 +413,18 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {`
`413`	`413`	`m.hasName("toString") and node1.asExpr() = ma.getArgument(1)`
`414`	`414`	`)`
`415`	`415`	`)`
	`416`	`+ or`
	`417`	`+ exists(MethodAccess ma, Method m \|`
	`418`	`+ ma = node2.asExpr() and`
	`419`	`+ m = ma.getMethod() and`
	`420`	`+ m`
	`421`	`+ .getDeclaringType()`
	`422`	`+ .getSourceDeclaration()`
	`423`	`+ .getASourceSupertype*()`
	`424`	`+ .hasQualifiedName("java.util", "Stack") and`
	`425`	`+ m.hasName("push") and`
	`426`	`+ node1.asExpr() = ma.getArgument(0)`
	`427`	`+ )`
`416`	`428`	`}`
`417`	`429`
`418`	`430`	`/**`