Avoid taint for valueOf(Object)

java/ql/src/semmle/code/java/dataflow/FlowSteps.qll

@@ -108,11 +108,16 @@ abstract class TaintPreservingCallable extends Callable {
 private class StringTaintPreservingMethod extends TaintPreservingCallable {
   StringTaintPreservingMethod() {
     this.getDeclaringType() instanceof TypeString and
-    this.hasName([
-        "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", "intern",
-        "join", "repeat", "split", "strip", "stripIndent", "stripLeading", "stripTrailing",
-        "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim", "valueOf"
-      ])
+    (
+      this.hasName([
+          "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
+          "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
+          "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
+          "trim"
+        ])
+      or
+      this.hasName("valueOf") and this.getParameterType(0) instanceof Array
+    )
   }
 
   override predicate returnsTaintFrom(int arg) {

java/ql/test/library-tests/dataflow/taint/B.java

@@ -37,6 +37,9 @@ public class B {
     // tainted - data preserving method
     String valueOf = String.valueOf(complex.toCharArray());
     sink(valueOf);
+    // tainted - data preserving method
+    String valueOfSubstring = String.valueOf(complex.toCharArray(), 0, 1);
+    sink(valueOfSubstring);
     // tainted - unsafe escape
     String badEscape = constructed.replaceAll("(<script>)", "");
     sink(badEscape);
@@ -52,7 +55,11 @@ public class B {
     // non-whitelisted constructors don't pass taint
     StringWrapper herring = new StringWrapper(complex);
     sink(herring);
+    // toString does not pass taint yet 
+    String valueOfObject = String.valueOf(args);
+    sink(valueOfObject);
 
+    
     // tainted equality check with constant
     boolean cond = "foo" == s;
     sink(cond);

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -11,31 +11,32 @@
 | B.java:15:21:15:27 | taint(...) | B.java:33:10:33:16 | complex |
 | B.java:15:21:15:27 | taint(...) | B.java:36:10:36:20 | constructed |
 | B.java:15:21:15:27 | taint(...) | B.java:39:10:39:16 | valueOf |
-| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:18 | badEscape |
-| B.java:15:21:15:27 | taint(...) | B.java:45:10:45:14 | token |
-| B.java:15:21:15:27 | taint(...) | B.java:58:10:58:13 | cond |
-| B.java:15:21:15:27 | taint(...) | B.java:61:10:61:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:63:10:63:39 | endsWith(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:66:10:66:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:69:10:69:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:77:10:77:16 | trimmed |
-| B.java:15:21:15:27 | taint(...) | B.java:79:10:79:14 | split |
-| B.java:15:21:15:27 | taint(...) | B.java:81:10:81:14 | lower |
-| B.java:15:21:15:27 | taint(...) | B.java:83:10:83:14 | upper |
-| B.java:15:21:15:27 | taint(...) | B.java:85:10:85:14 | bytes |
-| B.java:15:21:15:27 | taint(...) | B.java:87:10:87:17 | toString |
-| B.java:15:21:15:27 | taint(...) | B.java:89:10:89:13 | subs |
-| B.java:15:21:15:27 | taint(...) | B.java:91:10:91:13 | repl |
-| B.java:15:21:15:27 | taint(...) | B.java:93:10:93:16 | replAll |
-| B.java:15:21:15:27 | taint(...) | B.java:95:10:95:18 | replFirst |
-| B.java:15:21:15:27 | taint(...) | B.java:108:12:108:25 | serializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:120:12:120:27 | deserializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:129:10:129:21 | taintedArray |
-| B.java:15:21:15:27 | taint(...) | B.java:131:10:131:22 | taintedArray2 |
-| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:22 | taintedArray3 |
-| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:44 | toURL(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:37 | toPath(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:142:10:142:46 | toFile(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:25 | valueOfSubstring |
+| B.java:15:21:15:27 | taint(...) | B.java:45:10:45:18 | badEscape |
+| B.java:15:21:15:27 | taint(...) | B.java:48:10:48:14 | token |
+| B.java:15:21:15:27 | taint(...) | B.java:65:10:65:13 | cond |
+| B.java:15:21:15:27 | taint(...) | B.java:68:10:68:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:70:10:70:39 | endsWith(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:73:10:73:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:16 | trimmed |
+| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:14 | split |
+| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:14 | lower |
+| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:14 | upper |
+| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:14 | bytes |
+| B.java:15:21:15:27 | taint(...) | B.java:94:10:94:17 | toString |
+| B.java:15:21:15:27 | taint(...) | B.java:96:10:96:13 | subs |
+| B.java:15:21:15:27 | taint(...) | B.java:98:10:98:13 | repl |
+| B.java:15:21:15:27 | taint(...) | B.java:100:10:100:16 | replAll |
+| B.java:15:21:15:27 | taint(...) | B.java:102:10:102:18 | replFirst |
+| B.java:15:21:15:27 | taint(...) | B.java:115:12:115:25 | serializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:127:12:127:27 | deserializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:21 | taintedArray |
+| B.java:15:21:15:27 | taint(...) | B.java:138:10:138:22 | taintedArray2 |
+| B.java:15:21:15:27 | taint(...) | B.java:140:10:140:22 | taintedArray3 |
+| B.java:15:21:15:27 | taint(...) | B.java:143:10:143:44 | toURL(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:146:10:146:37 | toPath(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:149:10:149:46 | toFile(...) |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |