From 611b509088c2a3baa2e8bd4e0684e86d5a85793a Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 26 Sep 2025 15:03:23 +0100
Subject: [PATCH] Add existing models of file reads to local threat model
 sources

---
 java/ql/lib/semmle/code/java/dataflow/FlowSources.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
index 8c6ac60eb24f..e36f5b8659b8 100644
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -30,6 +30,7 @@ import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
 import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
+import semmle.code.java.security.FileReadWrite
 private import semmle.code.java.dataflow.ExternalFlow
 private import codeql.threatmodels.ThreatModels
 
@@ -248,7 +249,7 @@ private class StdinInput extends LocalUserInput {
 private class FileInput extends LocalUserInput {
   FileInput() {
     // Access to files.
-    sourceNode(this, "file")
+    sourceNode(this, "file") or this.asExpr() instanceof FileReadExpr
   }
 
   override string getThreatModel() { result = "file" }