From f6e3c77145a3127c64f4db69de8aa164ea7c0606 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 9 Dec 2025 12:55:04 +0000
Subject: [PATCH] Convert path injection barrier to MaD

---
 java/ql/lib/ext/java.io.model.yml                |  5 +++++
 .../semmle/code/java/security/PathSanitizer.qll  | 16 +++-------------
 2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml
index 3582e2b78ac..07e39c9e12f 100644
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -162,3 +162,8 @@ extensions:
       extensible: sourceModel
     data:
       - ["java.io", "FileInputStream", True, "FileInputStream", "", "", "Argument[this]", "file", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["java.io", "File", True, "getName", "()", "", "ReturnValue", "path-injection", "manual"]
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
index da6f242bde5..2018004a3fb 100644
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -4,6 +4,7 @@ module;
 
 import java
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.frameworks.kotlin.IO
@@ -288,19 +289,8 @@ private Method getSourceMethod(Method m) {
   result = m
 }
 
-/**
- * A sanitizer that protects against path injection vulnerabilities
- * by extracting the final component of the user provided path.
- *
- * TODO: convert this class to models-as-data if sanitizer support is added
- */
-private class FileGetNameSanitizer extends PathInjectionSanitizer {
-  FileGetNameSanitizer() {
-    exists(MethodCall mc |
-      mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
-      this.asExpr() = mc
-    )
-  }
+private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
+  DefaultPathInjectionSanitizer() { barrierNode(this, "path-injection") }
 }
 
 /** Holds if `g` is a guard that checks for `..` components. */