Java: check for tainted parent arg

Author: Jami Cogswell

java/ql/lib/semmle/code/java/security/PathSanitizer.qll

@@ -363,6 +363,19 @@ private predicate maybeNull(Expr expr) {
   )
 }
 
+/** A taint-tracking configuration for reasoning about tainted nodes. */
+private module TaintedConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+
+  predicate isSink(DataFlow::Node sink) { any() }
+}
+
+/** Tracks flow from any `ActiveThreatModelSource` to any node. */
+private module TaintedFlow = TaintTracking::Global<TaintedConfig>;
+
+/** Holds if `expr is tainted by an `ActiveThreatModelSource`. */
+private predicate isTainted(Expr expr) { TaintedFlow::flowToExpr(expr) }
+
 /** Holds if `g` is a guard that checks for `..` components. */
 private predicate pathTraversalGuard(Guard g, Expr e, boolean branch) {
   branch = g.(PathTraversalGuard).getBranch() and
@@ -382,6 +395,7 @@ private class FileConstructorSanitizer extends PathInjectionSanitizer {
       // `java.io.File` documentation states that such cases are
       // treated as if invoking the single-argument `File` constructor.
       not maybeNull(constrCall.getArgument(0)) and
+      not isTainted(constrCall.getArgument(0)) and
       arg = constrCall.getArgument(1) and
       (
         arg = DataFlow::BarrierGuard<pathTraversalGuard/3>::getABarrierNode().asExpr() or