From 396678fd554a4dcef1a2886d5b83762966dcb830 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 18 Mar 2020 10:54:40 +0100
Subject: [PATCH] Java: Add apache Base64 taint steps.

---
 .../code/java/dataflow/internal/TaintTrackingUtil.qll      | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index e8d632682c9f..62c3e6478590 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -445,6 +445,13 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     method.getName() = "wrap" and arg = 0
   )
   or
+  method.getDeclaringType().hasQualifiedName("org.apache.commons.codec.binary", "Base64") and
+  (
+    method.getName() = "decodeBase64" and arg = 0
+    or
+    method.getName().matches("encodeBase64%") and arg = 0
+  )
+  or
   method.getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils") and
   (
     method.getName() = "buffer" and arg = 0