Merge pull request #2726 from aschackmull/java/outputstream-write-taint

Java: Improve taint for OutputStream.write and InputStream.read.

java/ql/test/library-tests/dataflow/taint/A.java

@@ -0,0 +1,27 @@
+import java.io.*;
+
+public class A {
+  byte[] taint() { return new byte[2]; }
+
+  void sink(Object o) { }
+
+  void test1() {
+    ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
+    bOutput.write(taint(), 0, 1);
+    byte[] b = bOutput.toByteArray();
+    ByteArrayInputStream bInput = new ByteArrayInputStream(b);
+    byte[] b2 = new byte[10];
+    bInput.read(b2, 0, 1);
+    sink(b2);
+  }
+
+  void test2() {
+    ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
+    bOutput.write(taint());
+    byte[] b = bOutput.toByteArray();
+    ByteArrayInputStream bInput = new ByteArrayInputStream(b);
+    byte[] b2 = new byte[10];
+    bInput.read(b2);
+    sink(b2);
+  }
+}

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -0,0 +1,2 @@
+| A.java:10:19:10:25 | taint(...) | A.java:15:10:15:11 | b2 |
+| A.java:20:19:20:25 | taint(...) | A.java:25:10:25:11 | b2 |

java/ql/test/library-tests/dataflow/taint/test.ql

@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qqconf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+from DataFlow::Node src, DataFlow::Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink