Allow non-query-specific MaD sanitizers

owen-mc · owen-mc · commit 1e6410804f9b · 2026-01-06T22:56:55.000Z
diff --git a/go/ql/lib/semmle/go/frameworks/XPath.qll b/go/ql/lib/semmle/go/frameworks/XPath.qll
@@ -29,6 +29,12 @@ module XPath {
       DefaultXPathExpressionString() { sinkNode(this, "xpath-injection") }
     }
   }
+
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "xpath-injection") }
+  }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll
@@ -47,6 +47,10 @@ module CommandInjection {
     override predicate doubleDashIsSanitizing() { exec.doubleDashIsSanitizing() }
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "command-injection") }
+  }
+
   /**
    * A call to a regexp match function, considered as a barrier guard for command injection.
    */
diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
@@ -47,6 +47,13 @@ module HardcodedCredentials {
     CredentialsSink() { exists(string s | s.matches("credentials-%") | sinkNode(this, s)) }
   }
 
+  /** A use of a credential. */
+  private class ExternalCredentialsSanitizer extends Sanitizer {
+    ExternalCredentialsSanitizer() {
+      exists(string s | s.matches("credentials-%") | barrierNode(this, s))
+    }
+  }
+
   /**
    * Holds if the guard `g` in its branch `branch` validates the expression `e`
    * by comparing it to a literal.
diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
@@ -20,6 +20,8 @@ module MissingJwtSignatureCheck {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll
@@ -54,4 +54,8 @@ module MissingJwtSignatureCheck {
   private class DefaultSink extends Sink {
     DefaultSink() { sinkNode(this, "jwt") }
   }
+
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "jwt") }
+  }
 }
diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -75,6 +75,10 @@ module OpenUrlRedirect {
     }
   }
 
+  private class ExternalBarrier extends Barrier {
+    ExternalBarrier() { barrierNode(this, "url-redirection") }
+  }
+
   /**
    * An assignment of a safe value to the field `Path`, considered as a barrier for sanitizing
    * untrusted URLs.
diff --git a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll
@@ -94,6 +94,10 @@ module RequestForgery {
     HostnameSanitizer() { hostnameSanitizingPrefixEdge(this, _) }
   }
 
+  private class ExternalRequestForgerySanitizer extends Sanitizer {
+    ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
+  }
+
   /**
    * A call to a function called `isLocalUrl`, `isValidRedirect`, or similar, which is
    * considered a barrier guard.
diff --git a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll
@@ -43,6 +43,10 @@ module SqlInjection {
   /** DEPRECATED: Use `SimpleTypeSanitizer` from semmle.go.security.Sanitizers instead. */
   deprecated class NumericOrBooleanSanitizer = SimpleTypeSanitizer;
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, ["nosql-injection", "sql-injection"]) }
+  }
+
   /**
    * A numeric- or boolean-typed node, considered a sanitizer for sql injection.
    */
diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -57,6 +57,10 @@ module TaintedPath {
     PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "path-injection") }
+  }
+
   /**
    * A numeric- or boolean-typed node, considered a sanitizer for path traversal.
    */
diff --git a/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll
@@ -34,4 +34,7 @@ module XPathInjection {
 
   /** An XPath expression string, considered as a taint sink for XPath injection. */
   class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }
+
+  /** An XPath expression string, considered as a taint sink for XPath injection. */
+  class XPathSanitizer extends Sanitizer instanceof XPath::Sanitizer { }
 }
diff --git a/go/ql/lib/semmle/go/security/Xss.qll b/go/ql/lib/semmle/go/security/Xss.qll
@@ -88,6 +88,10 @@ module SharedXss {
     body.getAContentType().regexpMatch("(?i).*html.*")
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+  }
+
   /**
    * A JSON marshaler, acting to sanitize a possible XSS vulnerability because the
    * marshaled value is very unlikely to be returned as an HTML content-type.

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,12 @@ module XPath {`
`29`	`29`	`DefaultXPathExpressionString() { sinkNode(this, "xpath-injection") }`
`30`	`30`	`}`
`31`	`31`	`}`
	`32`	`+`
	`33`	`+ abstract class Sanitizer extends DataFlow::Node { }`
	`34`	`+`
	`35`	`+ private class ExternalSanitizer extends Sanitizer {`
	`36`	`+ ExternalSanitizer() { barrierNode(this, "xpath-injection") }`
	`37`	`+ }`
`32`	`38`	`}`
`33`	`39`
`34`	`40`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ module MissingJwtSignatureCheck {`
`20`	`20`
`21`	`21`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`22`	`22`
	`23`	`+ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`24`	`+`
`23`	`25`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`26`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,4 +54,8 @@ module MissingJwtSignatureCheck {`
`54`	`54`	`private class DefaultSink extends Sink {`
`55`	`55`	`DefaultSink() { sinkNode(this, "jwt") }`
`56`	`56`	`}`
	`57`	`+`
	`58`	`+ private class ExternalSanitizer extends Sanitizer {`
	`59`	`+ ExternalSanitizer() { barrierNode(this, "jwt") }`
	`60`	`+ }`
`57`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,10 @@ module OpenUrlRedirect {`
`75`	`75`	`}`
`76`	`76`	`}`
`77`	`77`
	`78`	`+ private class ExternalBarrier extends Barrier {`
	`79`	`+ ExternalBarrier() { barrierNode(this, "url-redirection") }`
	`80`	`+ }`
	`81`	`+`
`78`	`82`	`/**`
`79`	`83`	* An assignment of a safe value to the field `Path`, considered as a barrier for sanitizing
`80`	`84`	`* untrusted URLs.`
Original file line number	Diff line number	Diff line change
`@@ -34,4 +34,7 @@ module XPathInjection {`
`34`	`34`
`35`	`35`	`/** An XPath expression string, considered as a taint sink for XPath injection. */`
`36`	`36`	`class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }`
	`37`	`+`
	`38`	`+ /** An XPath expression string, considered as a taint sink for XPath injection. */`
	`39`	`+ class XPathSanitizer extends Sanitizer instanceof XPath::Sanitizer { }`
`37`	`40`	`}`