Merge pull request github#3081 from aschackmull/java/urldecoder-step

Java: Add URLDecoder.decode as taint step.

Author: yo-h

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -473,6 +473,10 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     method.getName() = "toString" and arg = 0
   )
   or
+  method.getDeclaringType().hasQualifiedName("java.net", "URLDecoder") and
+  method.hasName("decode") and
+  arg = 0
+  or
   // A URI created from a tainted string is still tainted.
   method.getDeclaringType().hasQualifiedName("java.net", "URI") and
   method.hasName("create") and