Sorry to be so blunt, but this particular "issue" is completely bogus.The supposed "source" and "sink" of this attack are not directly connected AT ALL!
The call to
remove_dir() function is not done on the HTTP request parameter value. First it is cleansed according to the PARAM_FILE, PARAM_PATH, PARAM_CLEANFILE, PARAM_SAFEDIR or PARAM_SAFEPATH rules, depending on where the received value is used, and what operations Moodle is going to do with it.
So unless there's some Moodle core code that misses those checks for the HTTP request parameters (highly unlikely, but always possible) before calling into
remove_dir(), then that issue is a false positive.
 When I say it's possible, I mean that there might be very few places where that may happen. Certainly not 541 places, as the report shown in your screenshot implies.