Allow MaD barriers relating to ExternalLocationSink

owen-mc · owen-mc · commit b30bc5ea4458 · 2026-01-13T10:29:13.000Z
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
@@ -4,6 +4,7 @@
 
 import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.security.SensitiveActions
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
@@ -62,3 +63,5 @@ class ProtectSanitizer extends Sanitizer {
  * An external location sink.
  */
 class ExternalSink extends Sink instanceof ExternalLocationSink { }
+
+private class ExternalSanitizer extends Sanitizer instanceof ExternalLocationSanitizer { }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
@@ -46,3 +46,5 @@ private class PrivateDataSource extends Source {
 }
 
 private class ExternalLocation extends Sink instanceof ExternalLocationSink { }
+
+private class ExternalSanitizer extends Sanitizer instanceof ExternalLocationSanitizer { }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
@@ -126,3 +126,11 @@ class LocalFileOutputSink extends ExternalLocationSink {
     )
   }
 }
+
+/**
+ * A sanitizer for writing data to locations that are external to the
+ * application, defined through Models as Data.
+ */
+class ExternalLocationSanitizer extends DataFlow::Node {
+  ExternalLocationSanitizer() { barrierNode(this, "file-content-store") }
+}

Original file line number	Diff line number	Diff line change
`@@ -46,3 +46,5 @@ private class PrivateDataSource extends Source {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`private class ExternalLocation extends Sink instanceof ExternalLocationSink { }`
	`49`	`+`
	`50`	`+private class ExternalSanitizer extends Sanitizer instanceof ExternalLocationSanitizer { }`
Original file line number	Diff line number	Diff line change
`@@ -126,3 +126,11 @@ class LocalFileOutputSink extends ExternalLocationSink {`
`126`	`126`	`)`
`127`	`127`	`}`
`128`	`128`	`}`
	`129`	`+`
	`130`	`+/**`
	`131`	`+ * A sanitizer for writing data to locations that are external to the`
	`132`	`+ * application, defined through Models as Data.`
	`133`	`+ */`
	`134`	`+class ExternalLocationSanitizer extends DataFlow::Node {`
	`135`	`+ ExternalLocationSanitizer() { barrierNode(this, "file-content-store") }`
	`136`	`+}`