From d21c8d789b110f0fa47c9443fe0cb080e4dc5b60 Mon Sep 17 00:00:00 2001
From: Jami Cogswell <jcogs33@Jamis-MacBook-Pro.local>
Date: Wed, 5 Feb 2025 21:19:59 -0500
Subject: [PATCH] Java: restrict sink to first arg of two-arg constructor call

---
 .../ql/lib/semmle/code/java/security/PathSanitizer.qll | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
index 2fa32b67e52..b2bdd584b88 100644
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -366,10 +366,16 @@ private module TaintedArgConfig implements DataFlow::ConfigSig {
     src.asExpr().(MethodCall).getMethod().getName() = "source"
   }
 
-  predicate isSink(DataFlow::Node sink) { exists(Call call | sink.asExpr() = call.getAnArgument()) }
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(ConstructorCall constrCall |
+        constrCall.getConstructedType() instanceof TypeFile and
+        constrCall.getNumArgument() = 2
+      ).getArgument(0)
+  }
 }
 
-/** Tracks taint flow to any argument. */
+/** Tracks taint flow to the parent argument of a `File` constructor. */
 private module TaintedArgFlow = TaintTracking::Global<TaintedArgConfig>;
 
 /** Holds if `g` is a guard that checks for `..` components. */