From d3b3af8ae666fdc5d235dcc867a77f1fd6fa6328 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 21 Jul 2023 13:54:09 +0200
Subject: [PATCH] Re-adds jump step

Note that this causes FP flow in the call context test cases
---
 .../code/java/frameworks/InputStream.qll      | 23 +++++++++++++++++++
 .../library-tests/dataflow/stream-read/A.java |  2 +-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/frameworks/InputStream.qll b/java/ql/lib/semmle/code/java/frameworks/InputStream.qll
index 27d7da1b03a..8f37ecc24ea 100644
--- a/java/ql/lib/semmle/code/java/frameworks/InputStream.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/InputStream.qll
@@ -6,6 +6,29 @@ private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.dataflow.TaintTracking
 
+/**
+ * A jump taint step from an update of the `bytes[]` parameter in an override of the `InputStream.read` method
+ * to a class instance expression of the type extending `InputStream`.
+ *
+ * This models how a subtype of `InputStream` could be tainted by the definition of its methods, which will
+ * normally only happen in nested classes.
+ */
+private class InputStreamWrapperCapturedJumpStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(InputStreamRead m, NestedClass wrapper |
+      m.getDeclaringType() = wrapper and
+      wrapper.getASourceSupertype+() instanceof TypeInputStream
+    |
+      n1.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = m.getParameter(0).getAnAccess() and
+      n2.asExpr()
+          .(ClassInstanceExpr)
+          .getConstructedType()
+          .getASourceSupertype*()
+          .getSourceDeclaration() = wrapper
+    )
+  }
+}
+
 /**
  * A local taint step from the definition of a captured variable, the capturer of which
  * updates the `bytes[]` parameter in an override of the `InputStream.read` method,
diff --git a/java/ql/test/library-tests/dataflow/stream-read/A.java b/java/ql/test/library-tests/dataflow/stream-read/A.java
index 705977757a1..779f95bcefa 100644
--- a/java/ql/test/library-tests/dataflow/stream-read/A.java
+++ b/java/ql/test/library-tests/dataflow/stream-read/A.java
@@ -99,7 +99,7 @@ public class A {
     }
 
     public static void testWrapCall() {
-        sink(wrapStream(null)); // no flow
+        sink(wrapStream(null)); // $ SPURIOUS: hasTaintFlow
         sink(wrapStream(source())); // $ hasTaintFlow
     }