From 2dbbcc2413f19ae136f2323517c67dce0b0f8741 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 19 Jul 2023 11:30:44 +0200
Subject: [PATCH] Java: Avoid low-confidence dispatch to InputStream methods

Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
---
 java/ql/lib/ext/java.io.model.yml                         | 1 +
 java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml
index 98c51a7bad5..6cc4933d7b5 100644
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -116,6 +116,7 @@ extensions:
       - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
       - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
+      - ["java.io", "InputStream", "read", "()", "summary", "manual"]
       - ["java.io", "InputStream", "close", "()", "summary", "manual"]
       - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
diff --git a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
index 4b880542229..c22f77725a1 100644
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -102,6 +102,8 @@ private module Dispatch {
     or
     t instanceof Interface and not t.fromSource()
     or
+    t.hasQualifiedName("java.io", "InputStream")
+    or
     t.hasQualifiedName("java.io", "Serializable")
     or
     t.hasQualifiedName("java.lang", "Iterable")