Java: Add flow out of Map and List

lcartey · lcartey · commit 7c4251deacec · 2020-06-16T09:50:32.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -358,6 +358,17 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m = any(GuiceProvider gp).getAnOverridingGetMethod()
   or
   m = any(ProtobufMessageLite p).getAGetterMethod()
+  or
+  m instanceof MapMethod and
+  (
+    m.getName().regexpMatch("get|entrySet|keySet|values")
+  )
+  or
+  m.getDeclaringType().getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "List") and
+  (
+    m.getName().regexpMatch("get|toArray|subList|spliterator|set|iterator|listIterator") or
+    (m.getName().regexpMatch("remove") and not m.getReturnType() instanceof BooleanType)
+  )
 }
 
 private class StringReplaceMethod extends Method {
