Support CharSequence#subSequence

java/ql/src/semmle/code/java/frameworks/Strings.qll

@@ -48,7 +48,8 @@ private class StringSummaryCsv extends SummaryModelCsv {
         "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
         "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
         "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",
-        "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint"
+        "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint",
+        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }

java/ql/test/library-tests/dataflow/taint/CharSeq.java

@@ -0,0 +1,13 @@
+public class CharSeq {
+    public static String taint() { return "tainted"; }
+  
+    public static void sink(Object o) { }
+  
+    void test1() {
+      CharSequence seq = taint().subSequence(0,1);
+      sink(seq);
+  
+      CharSequence seqFromSeq = seq.subSequence(0, 1);
+      sink(seqFromSeq);
+    }
+  }

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -37,6 +37,8 @@
 | B.java:15:21:15:27 | taint(...) | B.java:143:10:143:44 | toURL(...) |
 | B.java:15:21:15:27 | taint(...) | B.java:146:10:146:37 | toPath(...) |
 | B.java:15:21:15:27 | taint(...) | B.java:149:10:149:46 | toFile(...) |
+| CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
+| CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |