Detecting flow from a function parameter field to a member of a class (java)

[yuval-piiano]

Hi,

I have this Code:

public class ContainerClassFieldTaint {

    static void containerFieldTest(Email email) {
        Customer c = new Customer();
        c.setEmailAddress(email.getFrom());
    }

and I would like to find the flow from email parameter to the emailAddress of Customer ,
but can't figure out how to do it...
I found the source using

//source is the email parameter
 override predicate isSource(DataFlow::Node source) {

      exists(Parameter p |
        p = source.asParameter() and
        p.getName() = "email"

        )
   }
   
  //sink is a write to a email Address
  override predicate isSink(DataFlow::Node sink) {

   exists(FieldWrite write |
    write.getRhs() = sink.asExpr() and write.getName() = "emailAddress")

  }

and I can confirm that they mark the correct nodes, but I guess the .getFrom() access breaks the flow and there is no result for the flow I am trying to find, any idea how to do this?

Thanks,
Yuval

[atorralba]

You need to tell CodeQL that the getFrom method propagates taint from the email object. You can do that with an additional taint step:

  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
    exists(MethodAccess ma | ma.getMethod().hasName("getFrom") | // further restrict the method here as you see fit (e.g. declaring type)
      n1.asExpr() = ma.getQualifier() and
      n2.asExpr() = ma
    )
  }