Java: refactor to use ValidationMethod

Jami Cogswell · Jami Cogswell · commit f38e696eca51 · 2025-01-31T14:26:27.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -353,22 +353,26 @@ private class FileGetNameSanitizer extends PathInjectionSanitizer {
   }
 }
 
+/** Holds if `g` is a guard that checks for `..` components. */
+private predicate pathTraversalGuard(Guard g, Expr e, boolean branch) {
+  branch = g.(PathTraversalGuard).getBranch() and
+  localTaintFlowToPathGuard(e, g)
+}
+
 /**
  * A sanitizer that considers the second argument to a `File` constructor safe
  * if it is checked for `..` components (`PathTraversalGuard`) or if any internal
  * `..` components are removed from it (`PathNormalizeSanitizer`).
  */
 private class FileConstructorSanitizer extends PathInjectionSanitizer {
   FileConstructorSanitizer() {
-    exists(ConstructorCall constrCall, Argument arg, Expr guard |
+    exists(ConstructorCall constrCall, Argument arg |
       constrCall.getConstructedType() instanceof TypeFile and
       arg = constrCall.getArgument(1) and
       (
-        guard
-            .(PathTraversalGuard)
-            .controls(arg.getBasicBlock(), guard.(PathTraversalGuard).getBranch())
-        or
-        TaintTracking::localExprTaint(guard.(PathNormalizeSanitizer), arg)
+        arg = DataFlow::BarrierGuard<pathTraversalGuard/3>::getABarrierNode().asExpr() or
+        arg = ValidationMethod<pathTraversalGuard/3>::getAValidatedNode().asExpr() or
+        TaintTracking::localExprTaint(any(PathNormalizeSanitizer p), arg)
       ) and
       this.asExpr() = constrCall
     )
