Add exclusion to the ZipSlip query to avoid FPs

Author: atorralba

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.PathCreation
 
 /**
  * A method that returns the name of an archive entry.
@@ -40,5 +41,25 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
  * A sink that represents a file creation, such as a file write, copy or move operation.
  */
 private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "path-injection") }
+  FileCreationSink() {
+    sinkNode(this, "path-injection") and
+    not isPathCreation(this)
+  }
+}
+
+/**
+ * Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
+ * This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
+ * previosuly part of this query.
+ */
+private predicate isPathCreation(DataFlow::Node sink) {
+  exists(PathCreation pc |
+    pc.getAnInput() = sink.asExpr() and
+    // exclude actual read/write operations included in `PathCreation`
+    not pc.(Call)
+        .getCallee()
+        .getDeclaringType()
+        .hasQualifiedName("java.io",
+          ["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
+  )
 }