From 00c253a710fab0d94a3fcd43ead512112fa983e5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 8 Jan 2021 15:29:01 +0100
Subject: [PATCH] Java: Don't ignore local taint steps (fixup)

---
 java/ql/src/semmle/code/java/security/ExternalAPIs.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/security/ExternalAPIs.qll b/java/ql/src/semmle/code/java/security/ExternalAPIs.qll
index 785b021d42f..f2675645a6a 100644
--- a/java/ql/src/semmle/code/java/security/ExternalAPIs.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalAPIs.qll
@@ -75,7 +75,8 @@ class ExternalAPIDataNode extends DataFlow::Node {
       m.getASourceOverriddenMethod() = call.getCallee().getSourceDeclaration() and
       m.fromSource()
     ) and
-    // Not already modeled as a taint step
+    // Not already modeled as a taint step (we need both of these to handle `AdditionalTaintStep` subclasses as well)
+    not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
     not exists(DataFlow::Node next | TaintTracking::defaultAdditionalTaintStep(this, next)) and
     // Not a call to a known safe external API
     not call.getCallee() instanceof SafeExternalAPIMethod