Merge pull request #693 from sb-semmle/remove-duplicate-predicate

Remove a duplicated predicate.

java/ql/src/semmle/code/java/dataflow/TaintTracking.qll

@@ -226,8 +226,6 @@ module TaintTracking {
     stringBuilderStep(src, sink)
     or
     serializationStep(src, sink)
-    or
-    qualifierToArgStep(src, sink)
   }
 
   private class BulkData extends RefType {
@@ -353,6 +351,10 @@ module TaintTracking {
     m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
     m.hasName("writeTo") and
     arg = 0
+    or
+    m.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
+    m.hasName("read") and
+    arg = 0
   }
 
   /** Access to a method that passes taint from the qualifier. */
@@ -596,29 +598,6 @@ module TaintTracking {
     arg = 0
   }
 
-  /**
-   * Holds if `tracked` is a qualifier and `sink` is an argument
-   * of a method that transfers taint from the qualifier to the argument.
-   */
-  private predicate qualifierToArgStep(Expr tracked, RValue sink) {
-    exists(MethodAccess ma, Method method, int i |
-      taintPreservingQualifierToArg(method, i) and
-      ma.getMethod() = method and
-      ma.getArgument(i) = sink and
-      ma.getQualifier() = tracked
-    )
-  }
-
-  /**
-   * Holds if `method` is a method that transfers taint from the qualifier
-   * to the `i`th argument.
-   */
-  private predicate taintPreservingQualifierToArg(Method method, int i) {
-    method.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
-    method.hasName("read") and
-    i = 0
-  }
-
   /** A comparison or equality test with a constant. */
   private predicate comparisonStep(Expr tracked, Expr sink) {
     exists(Expr other |