Merge pull request #15291 from egregius313/egregius313/java/dataflow/default-sanitizers

Java: Introduce a common sanitizer type for types which cannot realistically carry taint.

java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
+* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 
 private class ShortStringLiteral extends StringLiteral {
   ShortStringLiteral() { this.getValue().length() < 100 }
@@ -27,9 +28,7 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -12,6 +12,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.CommandArguments
 private import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.security.Sanitizers
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -38,11 +39,7 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
   DefaultCommandInjectionSanitizer() {
-    this.getType() instanceof PrimitiveType
-    or
-    this.getType() instanceof BoxedType
-    or
-    this.getType() instanceof NumberType
+    this instanceof SimpleTypeSanitizer
     or
     isSafeCommandArgument(this.asExpr())
   }

java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.Sanitizers
 
 /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
 module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
@@ -12,9 +13,7 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
     or
     isSafeCommandArgument(node.asExpr())
   }

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.HttpsUrls
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead.
@@ -38,9 +39,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.security.JndiInjection
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `JndiInjectionFlow` instead.
@@ -19,8 +20,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleTypeSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 
@@ -38,8 +38,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleTypeSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 

java/ql/lib/semmle/code/java/security/LdapInjection.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.UnboundId
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.frameworks.ApacheLdap
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 
 /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
 abstract class LdapInjectionSink extends DataFlow::Node { }
@@ -33,12 +34,7 @@ private class DefaultLdapInjectionSink extends LdapInjectionSink {
 }
 
 /** A sanitizer that clears the taint on (boxed) primitive types. */
-private class DefaultLdapSanitizer extends LdapInjectionSanitizer {
-  DefaultLdapSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType
-  }
-}
+private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleTypeSanitizer { }
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName`,

java/ql/lib/semmle/code/java/security/LogInjection.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.security.Sanitizers
 
 /** A data flow sink for unvalidated user input that is used to log messages. */
 abstract class LogInjectionSink extends DataFlow::Node { }
@@ -30,13 +31,8 @@ private class DefaultLogInjectionSink extends LogInjectionSink {
   DefaultLogInjectionSink() { sinkNode(this, "log-injection") }
 }
 
-private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer {
-  DefaultLogInjectionSanitizer() {
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof NumericType
-  }
-}
+private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleTypeSanitizer
+{ }
 
 private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
   LineBreaksLogInjectionSanitizer() {

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.OgnlInjection
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `OgnlInjectionFlow` instead.
@@ -33,9 +34,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -10,6 +10,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.frameworks.Properties
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks.
@@ -59,13 +60,7 @@ private class DefaultRequestForgerySink extends RequestForgerySink {
 /** A sanitizer for request forgery vulnerabilities. */
 abstract class RequestForgerySanitizer extends DataFlow::Node { }
 
-private class PrimitiveSanitizer extends RequestForgerySanitizer {
-  PrimitiveSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
-  }
-}
+private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleTypeSanitizer { }
 
 private class HostnameSanitizingPrefix extends InterestingPrefix {
   int offset;

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -2,6 +2,7 @@
 
 import java
 private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Sanitizers
 import semmle.code.java.security.ResponseSplitting
 
 /**
@@ -16,9 +17,7 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
     or
     exists(MethodCall ma, string methodName, CompileTimeConstantExpr target |
       node.asExpr() = ma and

java/ql/lib/semmle/code/java/security/Sanitizers.qll

@@ -0,0 +1,15 @@
+/** Classes to represent sanitizers commonly used in dataflow and taint tracking configurations. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+
+/**
+ * A node whose type is a simple type unlikely to carry taint, such as primitives or their boxed counterparts.
+ */
+class SimpleTypeSanitizer extends DataFlow::Node {
+  SimpleTypeSanitizer() {
+    this.getType() instanceof PrimitiveType or
+    this.getType() instanceof BoxedType or
+    this.getType() instanceof NumberType
+  }
+}

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.frameworks.android.Compose
+private import semmle.code.java.security.Sanitizers
 
 /** A variable that may hold sensitive information, judging by its name. */
 class CredentialExpr extends Expr {
@@ -55,9 +56,7 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.asExpr() instanceof LiveLiteral or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleTypeSanitizer or
     sanitizer.getType() instanceof TypeType
   }
 

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.SqlConcatenatedLib
 private import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.security.Sanitizers
 
 private class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
   UncontrolledStringBuilderSource() {
@@ -22,9 +23,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll

@@ -8,6 +8,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Sanitizers
 import semmle.code.java.security.QueryInjection
 
 /**
@@ -41,11 +42,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)

java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll

@@ -6,6 +6,7 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A taint-tracking configuration for reasoning about local user input that is
@@ -16,11 +17,7 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -6,6 +6,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A unit class for adding additional taint steps.
@@ -57,9 +58,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleTypeSanitizer or
     sanitizer instanceof PathInjectionSanitizer
   }
 
@@ -80,9 +79,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleTypeSanitizer or
     sanitizer instanceof PathInjectionSanitizer
   }
 

java/ql/lib/semmle/code/java/security/TemplateInjection.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A source for server-side template injection (SST) vulnerabilities.
@@ -89,10 +90,5 @@ private class DefaultTemplateInjectionSink extends TemplateInjectionSink {
   DefaultTemplateInjectionSink() { sinkNode(this, "template-injection") }
 }
 
-private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer {
-  DefaultTemplateInjectionSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumericType
-  }
-}
+private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer instanceof SimpleTypeSanitizer
+{ }

java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll

@@ -6,6 +6,7 @@ private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.frameworks.owasp.Esapi
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A source of data that crosses a trust boundary.
@@ -57,9 +58,7 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TrustBoundaryValidationSanitizer or
     node.getType() instanceof HttpServletSession or
-    node.getType() instanceof NumberType or
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.frameworks.android.Android
 private import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.Sanitizers
 
 /** A URI that gets resolved by a `ContentResolver`. */
 abstract class ContentUriResolutionSink extends DataFlow::Node { }
@@ -42,13 +43,8 @@ private class UriOpeningContentResolverMethod extends Method {
   }
 }
 
-private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer {
-  UninterestingTypeSanitizer() {
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof NumberType
-  }
-}
+private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer instanceof SimpleTypeSanitizer
+{ }
 
 private class PathSanitizer extends ContentUriResolutionSanitizer instanceof PathInjectionSanitizer {
 }

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XmlParsers
 import semmle.code.java.security.XsltInjection
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `XsltInjectionFlow` instead.
@@ -35,9 +36,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -5,6 +5,7 @@ import codeql.regex.nfa.SuperlinearBackTracking::Make<TreeView> as SuperlinearBa
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexFlowConfigs
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Sanitizers
 
 /** A sink for polynomial redos queries, where a regex is matched. */
 class PolynomialRedosSink extends DataFlow::Node {
@@ -75,8 +76,7 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleTypeSanitizer or
     node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
   }
 }

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -19,6 +19,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 import Log4jInjectionFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
@@ -33,11 +34,7 @@ class Log4jInjectionSink extends DataFlow::Node {
 /**
  * A node that sanitizes a message before logging to avoid log injection.
  */
-class Log4jInjectionSanitizer extends DataFlow::Node {
-  Log4jInjectionSanitizer() {
-    this.getType() instanceof BoxedType or this.getType() instanceof PrimitiveType
-  }
-}
+class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleTypeSanitizer { }
 
 /**
  * A taint-tracking configuration for tracking untrusted user input used in log entries.

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -18,6 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import JFinalController
 import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.Sanitizers
 import InjectFilePathFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
@@ -56,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
+    node instanceof SimpleTypeSanitizer
     or
     node instanceof PathInjectionSanitizer
   }

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll

@@ -2,6 +2,7 @@ import java
 import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Sanitizers
 
 module ExecCmdFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
@@ -20,8 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig {
     node instanceof AssignToNonZeroIndex or
     node instanceof ArrayInitAtNonZeroIndex or
     node instanceof StreamConcatAtNonZeroIndex or
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
   }
 }
 
@@ -41,10 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /** Tracks flow of unvalidated user input that is used in Runtime.Exec */

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -17,6 +17,7 @@ import MyBatisCommonLib
 import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
 private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
@@ -24,11 +25,7 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodCall ma |

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -17,6 +17,7 @@ import MyBatisCommonLib
 import MyBatisMapperXmlSqlInjectionLib
 import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Sanitizers
 import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
 private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
@@ -24,11 +25,7 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodCall ma |

java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql

@@ -14,6 +14,7 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.Sanitizers
 import ClientSuppliedIpUsedInSecurityCheckLib
 import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
 
@@ -38,9 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
     or
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
   }
 }
 

java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll

@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 private import experimental.semmle.code.java.frameworks.SpringResource
+private import semmle.code.java.security.Sanitizers
 
 private class ActiveModels extends ActiveExperimentalModels {
   ActiveModels() { this = "unsafe-url-forward" }
@@ -128,12 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink {
   }
 }
 
-private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer {
-  PrimitiveSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
-  }
+private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleTypeSanitizer {
 }
 
 private class SanitizingPrefix extends InterestingPrefix {