From 9c9e302a739485c513481a67e3958f7c308be15b Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 17 Mar 2020 10:19:02 +0100
Subject: [PATCH] Java: Add URLDecoder.decode as taint step.

---
 .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index e8d632682c9..06eec43957f 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -466,6 +466,10 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     method.getName() = "toString" and arg = 0
   )
   or
+  method.getDeclaringType().hasQualifiedName("java.net", "URLDecoder") and
+  method.hasName("decode") and
+  arg = 0
+  or
   // A URI created from a tainted string is still tainted.
   method.getDeclaringType().hasQualifiedName("java.net", "URI") and
   method.hasName("create") and