Allow MaD sanitizers for java/xslt-injection

Author: owen-mc

java/ql/lib/semmle/code/java/security/XsltInjection.qll

@@ -5,6 +5,7 @@ module;
 import java
 import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A data flow sink for unvalidated user input that is used in XSLT transformation.
@@ -17,6 +18,16 @@ private class DefaultXsltInjectionSink extends XsltInjectionSink {
   DefaultXsltInjectionSink() { sinkNode(this, "xslt-injection") }
 }
 
+/** A default sink representing methods susceptible to XSLT Injection attacks. */
+abstract class XsltInjectionSanitizer extends DataFlow::Node { }
+
+private class SimpleTypeXsltInjectionSanitizer extends XsltInjectionSanitizer instanceof SimpleTypeSanitizer
+{ }
+
+private class ExternalXsltInjectionSanitizer extends XsltInjectionSanitizer {
+  ExternalXsltInjectionSanitizer() { barrierNode(this, "xslt-injection") }
+}
+
 /**
  * A unit class for adding additional taint steps.
  *

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -5,7 +5,6 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XmlParsers
 import semmle.code.java.security.XsltInjection
-private import semmle.code.java.security.Sanitizers
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
@@ -15,7 +14,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof XsltInjectionSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)