Marking an object as tainted after calling a method with an tainted argument (TestCase Aliasing5)

[rbonifacio]

After calling a method of an object "a" with a tainted object "b" as argument, object "a" (or at least one of its attributes" might also have to become tainted. Consider the following example:

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  StringBuffer buf = new StringBuffer("abc"); 
  foo(buf, buf, resp, req);
}

void foo(StringBuffer buf, StringBuffer buf2, ServletResponse resp, ServletRequest req) throws IOException {
   String name = req.getParameter(FIELD_NAME);
   buf.append(name);
   PrintWriter writer = resp.getWriter();
   writer.println(buf2.toString());                              /* BAD */
}

After calling buf.append(name), where name is tainted, buf must be marked as tainted; or at least one of its attributes. Since buf2 might alias buf, we should report a possible vulnerability in the call to writer.println(buf2.toString())