mirror of
https://github.com/github/codeql.git
synced 2026-05-14 11:19:27 +02:00
9ff4ed286f
PathNormalizeSanitizer recognized Path.normalize() and File.getCanonicalPath()/getCanonicalFile(), but not Path.toRealPath(). toRealPath() is strictly stronger than normalize() (resolves symlinks and verifies file existence in addition to normalizing ".." components), and is functionally equivalent to File.getCanonicalPath() for the NIO.2 API. CERT FIO16-J and OWASP both recommend it for path traversal defense. This adds toRealPath to PathNormalizeSanitizer alongside normalize, reducing false positives for code using idiomatic NIO.2 path handling.