Do taint Source and Sink compulsarily have to be functions?

[akanksha1131]

I want to write 3 queries:
Query 1: To detect taint sources.
Query 2 : To detect taint sinks.
Query 3: To detect all paths between the detected sources and detected sinks.
To get better clarity on how to write predicates, following are my doubts:

My doubts:
1)
A taint source is where potentially untrusted data enters the application.
Location of the taint source of a particular vulnerability:

public String processLogin(
            @RequestParam(value = "user", required = true) String username,
            @RequestParam(value = "password", required = true) String password,
            @RequestParam(value = "remember", required = false) String remember,
            @RequestParam(value = "target", required = false) String target,
            Model model,
            HttpServletRequest req,
            HttpServletResponse response)

A little context about the function:
The username parameter received from the HTTP request:
@RequestParam(value = "user", required = true) String username
is user-controlled data that originates from the HTTP request.
The username value is directly taken from the HTTP request without any validation or sanitization and is later used in the HTTP response.
Here the taint source will be the function: 'processLogin' or the parameter: @RequestParam(value = "user", required = true) String username?

Similarly,

A taint sink is where tainted data may be used in a way that could lead to a vulnerability.
Location:

public String processLogin(
            @RequestParam(value = "user", required = true) String username,
            @RequestParam(value = "password", required = true) String password,
            @RequestParam(value = "remember", required = false) String remember,
            @RequestParam(value = "target", required = false) String target,
            Model model,
            HttpServletRequest req,
            HttpServletResponse response)

The above function has a method Utils.setUsernameCookie :

Utils.setUsernameCookie(response, result.getString("username"));

This method directly uses the unvalidated username to set a cookie in the HTTP response headers, which could lead to HTTP Response Splitting if CR/LF characters are included and not properly handled.
If the username contains CR (\r) and LF (\n) characters, it could potentially inject malicious headers into the HTTP response if the application server did not sanitize these characters.

Here the taint sink is the function: setUsernameCookie or the encompassing function: processLogin?
Also, does the sink compulsarily have to be a function, or it can be something like

Class<?> cmdClass = Class.forName("com.veracode.verademo.commands." + ucfirst(command) + "Command") with reference to

Class<?> cmdClass = Class.forName("com.veracode.verademo.commands." + ucfirst(command) + "Command");
BlabberCommand cmdObj = (BlabberCommand) cmdClass.getDeclaredConstructor(Connection.class, String.class)
.newInstance(connect, username);
cmdObj.execute(blabberUsername);

Class<?> cmdClass = Class.forName("com.veracode.verademo.commands." + ucfirst(command) + "Command");
Context for above code snippet:
The command parameter is concatenated with the base class package and passed to Class.forName. This dynamic reflection call can lead to instantiation of any class specified in the input, allowing an attacker to execute arbitrary code if malicious or unexpected classes are loaded.

[aibaars]

Here the taint source will be the function: 'processLogin' or the parameter: @RequestParam(value = "user", required = true) String username?

The parameter will be the source.

Here the taint sink is the function: setUsernameCookie or the encompassing function: processLogin?
Also, does the sink compulsarily have to be a function, or it can be something like

The taint sink in this case could be the second argument of the call to Utils.setUsernameCookie(..) . For the other case the taint sink could be the first argument of Class.forName(..).

[akanksha1131]

Thank you so much!