From 4ffc41277a46c7e29ee96acf9dae3d698341530f Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <schack@semmle.com>
Date: Fri, 2 Aug 2019 14:21:06 +0200
Subject: [PATCH] Java: Adjust taint steps for Reader::read.

---
 .../src/semmle/code/java/dataflow/TaintTracking.qll  | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
index 475e7640077..bf27001ba4a 100644
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -363,6 +363,10 @@ module TaintTracking {
     m.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
     m.hasName("read") and
     arg = 0
+    or
+    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+    m.hasName("read") and
+    arg = 0
   }
 
   /** Access to a method that passes taint from the qualifier. */
@@ -398,8 +402,12 @@ module TaintTracking {
       m.getName().matches("%Value")
     )
     or
-    m.getDeclaringType().getQualifiedName().matches("%Reader") and
-    m.getName().matches("read%")
+    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+    (
+      m.getName() = "read" and m.getNumberOfParameters() = 0
+      or
+      m.getName() = "readLine"
+    )
     or
     m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
     m.getName() = "toString"