Accept MaD sanitizers for queries with MaD sinks

owen-mc · owen-mc · commit 61e8f9140456 · 2026-02-17T12:45:24.000Z
diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -82,4 +82,8 @@ module CorsPermissiveConfiguration {
       )
     }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -270,4 +270,8 @@ module ClientSideUrlRedirect {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -438,4 +438,8 @@ module CodeInjection {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -58,4 +58,8 @@ module CommandInjection {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -421,4 +421,8 @@ module DomBasedXss {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
@@ -44,4 +44,14 @@ module HardcodedCredentials {
       not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
     }
   }
+
+  /**
+   * Note that a sanitizer with kind `credentials-key` will sanitize flow to
+   * all sinks, not just sinks with the same kind.
+   */
+  private class CredentialSanitizerFromModel extends Sanitizer {
+    CredentialSanitizerFromModel() {
+      exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind))
+    }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer {
 private class SinkFromModel extends Sink {
   SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
 }
+
+private class SanitizerFromModel extends Sanitizer {
+  SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
+}
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
@@ -47,4 +47,8 @@ module NosqlInjection {
 
   /** An expression interpreted as a NoSql query, viewed as a sink. */
   class NosqlQuerySink extends Sink instanceof NoSql::Query { }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -147,4 +147,8 @@ module ReflectedXss {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -114,4 +114,8 @@ module RequestForgery {
   class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer {
     UriEncodingSanitizer() { this.encodesPathSeparators() }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
@@ -66,4 +66,8 @@ module ServerSideUrlRedirect {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
@@ -74,4 +74,8 @@ module SqlInjection {
       )
     }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -1124,4 +1124,8 @@ module TaintedPath {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "path-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -69,4 +69,8 @@ module UnsafeDeserialization {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -82,4 +82,8 @@ module CorsPermissiveConfiguration {`
`82`	`82`	`)`
`83`	`83`	`}`
`84`	`84`	`}`
	`85`	`+`
	`86`	`+ private class SanitizerFromModel extends Sanitizer {`
	`87`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }`
	`88`	`+ }`
`85`	`89`	`}`
Original file line number	Diff line number	Diff line change
`@@ -270,4 +270,8 @@ module ClientSideUrlRedirect {`
`270`	`270`	`private class SinkFromModel extends Sink {`
`271`	`271`	`SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }`
`272`	`272`	`}`
	`273`	`+`
	`274`	`+ private class SanitizerFromModel extends Sanitizer {`
	`275`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }`
	`276`	`+ }`
`273`	`277`	`}`
Original file line number	Diff line number	Diff line change
`@@ -438,4 +438,8 @@ module CodeInjection {`
`438`	`438`	`private class SinkFromModel extends Sink {`
`439`	`439`	`SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }`
`440`	`440`	`}`
	`441`	`+`
	`442`	`+ private class SanitizerFromModel extends Sanitizer {`
	`443`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }`
	`444`	`+ }`
`441`	`445`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,4 +58,8 @@ module CommandInjection {`
`58`	`58`	`private class SinkFromModel extends Sink {`
`59`	`59`	`SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+ private class SanitizerFromModel extends Sanitizer {`
	`63`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }`
	`64`	`+ }`
`61`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -421,4 +421,8 @@ module DomBasedXss {`
`421`	`421`	`private class SinkFromModel extends Sink {`
`422`	`422`	`SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }`
`423`	`423`	`}`
	`424`	`+`
	`425`	`+ private class SanitizerFromModel extends Sanitizer {`
	`426`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }`
	`427`	`+ }`
`424`	`428`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,14 @@ module HardcodedCredentials {`
`44`	`44`	`not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))`
`45`	`45`	`}`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ /**`
	`49`	+ * Note that a sanitizer with kind `credentials-key` will sanitize flow to
	`50`	`+ * all sinks, not just sinks with the same kind.`
	`51`	`+ */`
	`52`	`+ private class CredentialSanitizerFromModel extends Sanitizer {`
	`53`	`+ CredentialSanitizerFromModel() {`
	`54`	`+ exists(string kind \| ModelOutput::barrierNode(this, "credentials-" + kind))`
	`55`	`+ }`
	`56`	`+ }`
`47`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer {`
`88`	`88`	`private class SinkFromModel extends Sink {`
`89`	`89`	`SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }`
`90`	`90`	`}`
	`91`	`+`
	`92`	`+private class SanitizerFromModel extends Sanitizer {`
	`93`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }`
	`94`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,8 @@ module NosqlInjection {`
`47`	`47`
`48`	`48`	`/** An expression interpreted as a NoSql query, viewed as a sink. */`
`49`	`49`	`class NosqlQuerySink extends Sink instanceof NoSql::Query { }`
	`50`	`+`
	`51`	`+ private class SanitizerFromModel extends Sanitizer {`
	`52`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") }`
	`53`	`+ }`
`50`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -147,4 +147,8 @@ module ReflectedXss {`
`147`	`147`	`private class SinkFromModel extends Sink {`
`148`	`148`	`SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }`
`149`	`149`	`}`
	`150`	`+`
	`151`	`+ private class SanitizerFromModel extends Sanitizer {`
	`152`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }`
	`153`	`+ }`
`150`	`154`	`}`
Original file line number	Diff line number	Diff line change
`@@ -114,4 +114,8 @@ module RequestForgery {`
`114`	`114`	`class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer {`
`115`	`115`	`UriEncodingSanitizer() { this.encodesPathSeparators() }`
`116`	`116`	`}`
	`117`	`+`
	`118`	`+ private class SanitizerFromModel extends Sanitizer {`
	`119`	`+ SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }`
	`120`	`+ }`
`117`	`121`	`}`