From e7b495e7d3a57fbf39105e3ce82d201c20df85e2 Mon Sep 17 00:00:00 2001
From: Arthur Baars <arthur@semmle.com>
Date: Thu, 2 Jul 2020 12:38:22 +0200
Subject: [PATCH] Java: model Collections::addAll

---
 .../code/java/dataflow/internal/ContainerFlow.qll     | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
index 7454ec7f7c0..ab9dd560d49 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -218,10 +218,17 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
  */
 private predicate argToArgStep(Expr tracked, Expr sink) {
   exists(MethodAccess ma, Method method, int input, int output |
-    taintPreservingArgToArg(method, input, output) and
     ma.getMethod() = method and
     ma.getArgument(input) = tracked and
-    ma.getArgument(output) = sink
+    ma.getArgument(output) = sink and
+    (
+      taintPreservingArgToArg(method, input, output)
+      or
+      method.getDeclaringType().hasQualifiedName("java.util", "Collections") and
+      method.hasName("addAll") and
+      input >= 1 and
+      output = 0
+    )
   )
 }