Allow MaD sanitizers for java/unsafe-hostname-verification

Author: owen-mc

java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll

@@ -41,10 +41,11 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
 
-  predicate isBarrier(DataFlow::Node barrier) {
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof ExternalHostnameVerifierSanitizer
+    or
     // ignore nodes that are in functions that intentionally disable hostname verification
-    barrier
-        .getEnclosingCallable()
+    node.getEnclosingCallable()
         .getName()
         /*
          * Regex: (_)* :
@@ -88,6 +89,10 @@ private class HostnameVerifierSink extends DataFlow::Node {
   HostnameVerifierSink() { sinkNode(this, "hostname-verification") }
 }
 
+private class ExternalHostnameVerifierSanitizer extends DataFlow::Node {
+  ExternalHostnameVerifierSanitizer() { barrierNode(this, "hostname-verification") }
+}
+
 /**
  * Flags suggesting a deliberately unsafe `HostnameVerifier` usage.
  */