Java: restrict sink to first arg of two-arg constructor call

Jami Cogswell · Jami Cogswell · commit d21c8d789b11 · 2025-02-05T21:19:59.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -366,10 +366,16 @@ private module TaintedArgConfig implements DataFlow::ConfigSig {
     src.asExpr().(MethodCall).getMethod().getName() = "source"
   }
 
-  predicate isSink(DataFlow::Node sink) { exists(Call call | sink.asExpr() = call.getAnArgument()) }
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(ConstructorCall constrCall |
+        constrCall.getConstructedType() instanceof TypeFile and
+        constrCall.getNumArgument() = 2
+      ).getArgument(0)
+  }
 }
 
-/** Tracks taint flow to any argument. */
+/** Tracks taint flow to the parent argument of a `File` constructor. */
 private module TaintedArgFlow = TaintTracking::Global<TaintedArgConfig>;
 
 /** Holds if `g` is a guard that checks for `..` components. */
