Allow MaD sanitizers for java/unvalidated-url-redirection

owen-mc · owen-mc · commit 3dc07ce53239 · 2026-01-08T15:23:47.000Z
diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirect.qll b/java/ql/lib/semmle/code/java/security/UrlRedirect.qll
@@ -50,5 +50,9 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink {
   }
 }
 
-private class DefaultUrlRedirectSanitizer extends UrlRedirectSanitizer instanceof RequestForgerySanitizer
+private class RequestForgeryUrlRedirectSanitizer extends UrlRedirectSanitizer instanceof RequestForgerySanitizer
 { }
+
+private class ExternalUrlRedirectSanitizer extends UrlRedirectSanitizer {
+  ExternalUrlRedirectSanitizer() { barrierNode(this, "url-redirection") }
+}

Original file line number	Diff line number	Diff line change
`@@ -50,5 +50,9 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`-private class DefaultUrlRedirectSanitizer extends UrlRedirectSanitizer instanceof RequestForgerySanitizer`
	`53`	`+private class RequestForgeryUrlRedirectSanitizer extends UrlRedirectSanitizer instanceof RequestForgerySanitizer`
`54`	`54`	`{ }`
	`55`	`+`
	`56`	`+private class ExternalUrlRedirectSanitizer extends UrlRedirectSanitizer {`
	`57`	`+ ExternalUrlRedirectSanitizer() { barrierNode(this, "url-redirection") }`
	`58`	`+}`