Java: False positive in java/path-injection, file path sanitizer is not taken into account.

Following a [FP report](https://discuss.lgtm.com/t/potential-false-positive/2131), we see that even if the file path is checked for `..`, an alert is still reported. There should be an additional sanitizing guard such as `!var.contains("..")` in the query