Java: Bugfix for flow through methods with taintstep and upcast.

java/ql/test/library-tests/dataflow/taintreturn/Test.java

@@ -0,0 +1,22 @@
+public class Test {
+  static class A {
+    B step() { return null; }
+  }
+  static class B extends C { }
+  static class C { }
+
+  A src() { return new A(); }
+
+  void sink(Object o) { }
+
+  void flow() {
+    A a = src();
+    C c = m1(a);
+    sink(c);
+  }
+
+  C m1(A a) {
+    return a.step();
+  }
+}
+

java/ql/test/library-tests/dataflow/taintreturn/taintreturn.expected

@@ -0,0 +1 @@
+| 1 | 1 |

java/ql/test/library-tests/dataflow/taintreturn/taintreturn.ql

@@ -0,0 +1,44 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow
+
+predicate step(Expr e1, Expr e2) {
+  exists(MethodAccess ma |
+    ma.getMethod().hasName("step") and
+    ma = e2 and
+    ma.getQualifier() = e1
+  )
+}
+
+predicate isSink0(Expr sink) {
+  exists(MethodAccess ma |
+    ma.getMethod().hasName("sink") and
+    ma.getAnArgument() = sink
+  )
+}
+
+class Conf1 extends Configuration {
+  Conf1() { this = "testconf1" }
+
+  override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
+
+  override predicate isSink(Node n) { any() }
+
+  override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) }
+}
+
+class Conf2 extends Configuration {
+  Conf2() { this = "testconf2" }
+
+  override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
+
+  override predicate isSink(Node n) { isSink0(n.asExpr()) }
+
+  override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) }
+}
+
+from int i1, int i2
+where
+  i1 = count(Node src, Node sink, Conf1 c | c.hasFlow(src, sink) and isSink0(sink.asExpr())) and
+  i2 = count(Node src, Node sink, Conf2 c | c.hasFlow(src, sink))
+select i1, i2