GLAS cannot understand the taint flow propagating from sources to Objects created through parameterized constructor

In a scenario where an object is created by passing a taint value to the constructor and later the taint value is accessed using getter methods and used in a sink, the engine cannot track the taint flow.

public class Test {

    public void help(HttpServletRequest request) {
        TestTwo testTwo = new TestTwo(request);
        String param = testTwo.getData();

        java.io.File fileTarget = new java.io.File(param);
    }

}

public class TestTwo {
    private HttpServletRequest request;

    public TestTwo(HttpServletRequest request) {
        this.request = request;
    }

    public String getData() {
        return request.getParameter("p");
    }
}

Attaching a playground link with the same scenario. https://semgrep.dev/playground/s/7KqKk

cc: @dabeles @mbenayoun @mtolpin @bhavyakaushal219-ext

Edited Oct 28, 2024 by Chathumina Vimukthi