Allow non-query-specific MaD sanitizers

go/ql/lib/semmle/go/frameworks/XPath.qll

@@ -29,6 +29,12 @@ module XPath {
       DefaultXPathExpressionString() { sinkNode(this, "xpath-injection") }
     }
   }
+
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "xpath-injection") }
+  }
 }
 
 /**

go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll

@@ -47,6 +47,10 @@ module CommandInjection {
     override predicate doubleDashIsSanitizing() { exec.doubleDashIsSanitizing() }
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "command-injection") }
+  }
+
   /**
    * A call to a regexp match function, considered as a barrier guard for command injection.
    */

go/ql/lib/semmle/go/security/HardcodedCredentials.qll

@@ -47,6 +47,13 @@ module HardcodedCredentials {
     CredentialsSink() { exists(string s | s.matches("credentials-%") | sinkNode(this, s)) }
   }
 
+  /** A use of a credential. */
+  private class ExternalCredentialsSanitizer extends Sanitizer {
+    ExternalCredentialsSanitizer() {
+      exists(string s | s.matches("credentials-%") | barrierNode(this, s))
+    }
+  }
+
   /**
    * Holds if the guard `g` in its branch `branch` validates the expression `e`
    * by comparing it to a literal.

go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll

@@ -20,6 +20,8 @@ module MissingJwtSignatureCheck {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }

go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll

@@ -54,4 +54,8 @@ module MissingJwtSignatureCheck {
   private class DefaultSink extends Sink {
     DefaultSink() { sinkNode(this, "jwt") }
   }
+
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "jwt") }
+  }
 }

go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -75,6 +75,10 @@ module OpenUrlRedirect {
     }
   }
 
+  private class ExternalBarrier extends Barrier {
+    ExternalBarrier() { barrierNode(this, "url-redirection") }
+  }
+
   /**
    * An assignment of a safe value to the field `Path`, considered as a barrier for sanitizing
    * untrusted URLs.

go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll

@@ -94,6 +94,10 @@ module RequestForgery {
     HostnameSanitizer() { hostnameSanitizingPrefixEdge(this, _) }
   }
 
+  private class ExternalRequestForgerySanitizer extends Sanitizer {
+    ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
+  }
+
   /**
    * A call to a function called `isLocalUrl`, `isValidRedirect`, or similar, which is
    * considered a barrier guard.

go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll

@@ -43,6 +43,10 @@ module SqlInjection {
   /** DEPRECATED: Use `SimpleTypeSanitizer` from semmle.go.security.Sanitizers instead. */
   deprecated class NumericOrBooleanSanitizer = SimpleTypeSanitizer;
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, ["nosql-injection", "sql-injection"]) }
+  }
+
   /**
    * A numeric- or boolean-typed node, considered a sanitizer for sql injection.
    */

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll

@@ -57,6 +57,10 @@ module TaintedPath {
     PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "path-injection") }
+  }
+
   /**
    * A numeric- or boolean-typed node, considered a sanitizer for path traversal.
    */

go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll

@@ -34,4 +34,7 @@ module XPathInjection {
 
   /** An XPath expression string, considered as a taint sink for XPath injection. */
   class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }
+
+  /** An XPath expression string, considered as a taint sink for XPath injection. */
+  class XPathSanitizer extends Sanitizer instanceof XPath::Sanitizer { }
 }

go/ql/lib/semmle/go/security/Xss.qll

@@ -88,6 +88,10 @@ module SharedXss {
     body.getAContentType().regexpMatch("(?i).*html.*")
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+  }
+
   /**
    * A JSON marshaler, acting to sanitize a possible XSS vulnerability because the
    * marshaled value is very unlikely to be returned as an HTML content-type.