Merge pull request #3893 from aibaars/set-map-list-copy-of

Java: model some new Set,List,Map methods

java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -181,6 +181,22 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     method.hasName(["nCopies", "singletonMap"]) and arg = 1
   )
   or
+  method
+      .getDeclaringType()
+      .getSourceDeclaration()
+      .hasQualifiedName("java.util", ["List", "Map", "Set"]) and
+  method.hasName("copyOf") and
+  arg = 0
+  or
+  method.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Map") and
+  (
+    method.hasName("of") and
+    arg = any(int i | i in [1 .. 10] | 2 * i - 1)
+    or
+    method.hasName("entry") and
+    arg = 1
+  )
+  or
   method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
   (
     method.hasName(["copyOf", "copyOfRange", "spliterator", "stream"]) and
@@ -188,6 +204,18 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
   )
 }
 
+/**
+ * Holds if `method` is a library method that returns tainted data if any
+ * of its arguments are tainted.
+ */
+private predicate taintPreservingArgumentToMethod(Method method) {
+  method.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", ["Set", "List"]) and
+  method.hasName("of")
+  or
+  method.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Map") and
+  method.hasName("ofEntries")
+}
+
 /**
  * Holds if `method` is a library method that writes tainted data to the
  * `output`th argument if the `input`th argument is tainted.
@@ -234,6 +262,9 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
       tracked = sink.getAnArgument()
     )
   )
+  or
+  taintPreservingArgumentToMethod(sink.getMethod()) and
+  tracked = sink.getAnArgument()
 }
 
 /**