From 2dbbcc2413f19ae136f2323517c67dce0b0f8741 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 19 Jul 2023 11:30:44 +0200
Subject: [PATCH 1/3] Java: Avoid low-confidence dispatch to InputStream
 methods

Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
---
 java/ql/lib/ext/java.io.model.yml                         | 1 +
 java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml
index 98c51a7bad5..6cc4933d7b5 100644
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -116,6 +116,7 @@ extensions:
       - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
       - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
+      - ["java.io", "InputStream", "read", "()", "summary", "manual"]
       - ["java.io", "InputStream", "close", "()", "summary", "manual"]
       - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
diff --git a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
index 4b880542229..c22f77725a1 100644
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -102,6 +102,8 @@ private module Dispatch {
     or
     t instanceof Interface and not t.fromSource()
     or
+    t.hasQualifiedName("java.io", "InputStream")
+    or
     t.hasQualifiedName("java.io", "Serializable")
     or
     t.hasQualifiedName("java.lang", "Iterable")

From 29543f572691c06574576bf92e144ec14ef67b63 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 19 Jul 2023 14:44:18 +0200
Subject: [PATCH 2/3] Change InputStream.read from neutral to summary

---
 java/ql/lib/ext/java.io.model.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml
index 6cc4933d7b5..e4d543aa06d 100644
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -84,6 +84,7 @@ extensions:
       - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "FilterOutputStream", True, "FilterOutputStream", "(OutputStream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.io", "InputStream", True, "read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "InputStream", True, "read", "(byte[])", "", "Argument[this]", "Argument[0]", "taint", "manual"]
       - ["java.io", "InputStream", True, "read", "(byte[],int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
       - ["java.io", "InputStream", True, "readAllBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -116,7 +117,6 @@ extensions:
       - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
       - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
-      - ["java.io", "InputStream", "read", "()", "summary", "manual"]
       - ["java.io", "InputStream", "close", "()", "summary", "manual"]
       - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.

From 238cb266247b496c2172f5c99e106158ab4563e7 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 19 Jul 2023 15:37:33 +0200
Subject: [PATCH 3/3] Add change note

---
 java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md

diff --git a/java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md b/java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md
new file mode 100644
index 00000000000..d093c771d51
--- /dev/null
+++ b/java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Improved the precision of virtual dispatch of `java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of `InputStream` if there is a high-confidence alternative (like a models-as-data summary).
+  
\ No newline at end of file