Accept MaD sanitizers for queries with MaD sinks

2026-02-24 02:43:40 +01:00 · 2026-02-17 09:57:14 +00:00
parent 79cbf2f1cf
commit 3dc465f167
7 changed files with 28 additions and 0 deletions
--- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
@@ -118,4 +118,8 @@ module CodeInjection {
  private class ExternalCodeInjectionSink extends Sink {
    ExternalCodeInjectionSink() { ModelOutput::sinkNode(this, "code-injection") }
  }
+
+  private class ExternalCodeInjectionSanitizer extends Sanitizer {
+    ExternalCodeInjectionSanitizer() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -57,4 +57,8 @@ module CommandInjection {
  private class ExternalCommandInjectionSink extends Sink {
    ExternalCommandInjectionSink() { ModelOutput::sinkNode(this, "command-injection") }
  }
+
+  private class ExternalCommandInjectionSanitizer extends Sanitizer {
+    ExternalCommandInjectionSanitizer() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -67,6 +67,10 @@ class HtmlEscapingAsSanitizer extends Sanitizer {
  HtmlEscapingAsSanitizer() { this = any(HtmlEscaping esc).getOutput() }
 }

+private class ExternalLogInjectionSanitizer extends Sanitizer {
+  ExternalLogInjectionSanitizer() { ModelOutput::barrierNode(this, "log-injection") }
+}
+
 private module LogInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
@@ -57,4 +57,8 @@ module PathInjection {
  private class ExternalPathInjectionSink extends Sink {
    ExternalPathInjectionSink() { ModelOutput::sinkNode(this, "path-injection") }
  }
+
+  private class ExternalPathInjectionSanitizer extends Sanitizer {
+    ExternalPathInjectionSanitizer() { ModelOutput::barrierNode(this, "path-injection") }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
@@ -46,4 +46,8 @@ module ServerSideRequestForgery {
  private class ExternalRequestForgerySink extends Sink {
    ExternalRequestForgerySink() { ModelOutput::sinkNode(this, "request-forgery") }
  }
+
+  private class ExternalRequestForgerySanitizer extends Sanitizer {
+    ExternalRequestForgerySanitizer() { ModelOutput::barrierNode(this, "request-forgery") }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
@@ -61,4 +61,8 @@ module SqlInjection {
  private class ExternalSqlInjectionSink extends Sink {
    ExternalSqlInjectionSink() { ModelOutput::sinkNode(this, "sql-injection") }
  }
+
+  private class ExternalSqlInjectionSanitizer extends Sanitizer {
+    ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -125,6 +125,10 @@ module UrlRedirect {
   */
  class StringInterpolationAsSanitizer extends PrefixedStringInterpolation, Sanitizer { }

+  private class ExternalUrlRedirectSanitizer extends Sanitizer {
+    ExternalUrlRedirectSanitizer() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
+
  /**
   * These methods return a new `ActionController::Parameters` or a `Hash` containing a subset of
   * the original values. This may still contain user input, so the results are tainted.