Merge pull request #16550 from aschackmull/java/zipslip-number-sanitizer

Java: Improve sanitizer for java/zipslip

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -6,6 +6,7 @@ import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.PathCreation
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A method that returns the name of an archive entry.
@@ -39,7 +40,10 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    node instanceof PathInjectionSanitizer
+  }
 }
 
 /** Tracks flow from archive entries to file creation. */

java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.