Java: Fix taint-step handling for untrusted-data-external-api

RasmusWL · RasmusWL · commit 874af7637f4f · 2020-12-22T11:02:50.000+01:00
The previous implementation would not handle any `AdditionalTaintStep`
subclasses.
diff --git a/java/ql/src/semmle/code/java/security/ExternalAPIs.qll b/java/ql/src/semmle/code/java/security/ExternalAPIs.qll
@@ -76,7 +76,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
       m.fromSource()
     ) and
     // Not already modeled as a taint step
-    not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
+    not exists(DataFlow::Node next | TaintTracking::defaultAdditionalTaintStep(this, next)) and
     // Not a call to a known safe external API
     not call.getCallee() instanceof SafeExternalAPIMethod
   }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ class ExternalAPIDataNode extends DataFlow::Node {`
`76`	`76`	`m.fromSource()`
`77`	`77`	`) and`
`78`	`78`	`// Not already modeled as a taint step`
`79`		`- not exists(DataFlow::Node next \| TaintTracking::localTaintStep(this, next)) and`
	`79`	`+ not exists(DataFlow::Node next \| TaintTracking::defaultAdditionalTaintStep(this, next)) and`
`80`	`80`	`// Not a call to a known safe external API`
`81`	`81`	`not call.getCallee() instanceof SafeExternalAPIMethod`
`82`	`82`	`}`