Allow MaD sanitizers for java/xml/xpath-injection

owen-mc · owen-mc · commit 7175879c9a1c · 2026-01-08T15:23:49.000Z
diff --git a/java/ql/lib/semmle/code/java/security/XPath.qll b/java/ql/lib/semmle/code/java/security/XPath.qll
@@ -27,3 +27,10 @@ private class DefaultXPathInjectionSink extends XPathInjectionSink {
     )
   }
 }
+
+/** A sanitizer for XPath injection. */
+abstract class XPathInjectionSanitizer extends DataFlow::Node { }
+
+private class ExternalXPathInjectionSanitizer extends XPathInjectionSanitizer {
+  ExternalXPathInjectionSanitizer() { barrierNode(this, "xpath-injection") }
+}
diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
@@ -13,6 +13,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof XPathInjectionSanitizer }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,10 @@ private class DefaultXPathInjectionSink extends XPathInjectionSink {`
`27`	`27`	`)`
`28`	`28`	`}`
`29`	`29`	`}`
	`30`	`+`
	`31`	`+/** A sanitizer for XPath injection. */`
	`32`	`+abstract class XPathInjectionSanitizer extends DataFlow::Node { }`
	`33`	`+`
	`34`	`+private class ExternalXPathInjectionSanitizer extends XPathInjectionSanitizer {`
	`35`	`+ ExternalXPathInjectionSanitizer() { barrierNode(this, "xpath-injection") }`
	`36`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {`
`13`	`13`
`14`	`14`	`predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }`
`15`	`15`
	`16`	`+ predicate isBarrier(DataFlow::Node node) { node instanceof XPathInjectionSanitizer }`
	`17`	`+`
`16`	`18`	`predicate observeDiffInformedIncrementalMode() { any() }`
`17`	`19`	`}`
`18`	`20`