From 3dc465f167536d9a6ece5044bebc2eaedd6e00f2 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 17 Feb 2026 09:57:14 +0000
Subject: [PATCH] Accept MaD sanitizers for queries with MaD sinks

---
 .../lib/codeql/ruby/security/CodeInjectionCustomizations.qll  | 4 ++++
 .../codeql/ruby/security/CommandInjectionCustomizations.qll   | 4 ++++
 ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll        | 4 ++++
 .../lib/codeql/ruby/security/PathInjectionCustomizations.qll  | 4 ++++
 .../ruby/security/ServerSideRequestForgeryCustomizations.qll  | 4 ++++
 .../lib/codeql/ruby/security/SqlInjectionCustomizations.qll   | 4 ++++
 .../ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll | 4 ++++
 7 files changed, 28 insertions(+)

diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
index ca79a079a10..0e84aa710b5 100644
--- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
@@ -118,4 +118,8 @@ module CodeInjection {
   private class ExternalCodeInjectionSink extends Sink {
     ExternalCodeInjectionSink() { ModelOutput::sinkNode(this, "code-injection") }
   }
+
+  private class ExternalCodeInjectionSanitizer extends Sanitizer {
+    ExternalCodeInjectionSanitizer() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
index f36b72ae6b7..d9551177875 100644
--- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -57,4 +57,8 @@ module CommandInjection {
   private class ExternalCommandInjectionSink extends Sink {
     ExternalCommandInjectionSink() { ModelOutput::sinkNode(this, "command-injection") }
   }
+
+  private class ExternalCommandInjectionSanitizer extends Sanitizer {
+    ExternalCommandInjectionSanitizer() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
index 8111932c7df..a5230a8b845 100644
--- a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -67,6 +67,10 @@ class HtmlEscapingAsSanitizer extends Sanitizer {
   HtmlEscapingAsSanitizer() { this = any(HtmlEscaping esc).getOutput() }
 }
 
+private class ExternalLogInjectionSanitizer extends Sanitizer {
+  ExternalLogInjectionSanitizer() { ModelOutput::barrierNode(this, "log-injection") }
+}
+
 private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
index 8a8b916f627..beab1af5dc4 100644
--- a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
@@ -57,4 +57,8 @@ module PathInjection {
   private class ExternalPathInjectionSink extends Sink {
     ExternalPathInjectionSink() { ModelOutput::sinkNode(this, "path-injection") }
   }
+
+  private class ExternalPathInjectionSanitizer extends Sanitizer {
+    ExternalPathInjectionSanitizer() { ModelOutput::barrierNode(this, "path-injection") }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
index 509900a12e1..e64abe413b8 100644
--- a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
@@ -46,4 +46,8 @@ module ServerSideRequestForgery {
   private class ExternalRequestForgerySink extends Sink {
     ExternalRequestForgerySink() { ModelOutput::sinkNode(this, "request-forgery") }
   }
+
+  private class ExternalRequestForgerySanitizer extends Sanitizer {
+    ExternalRequestForgerySanitizer() { ModelOutput::barrierNode(this, "request-forgery") }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
index 1bf14dc3b28..7d6f16731a5 100644
--- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
@@ -61,4 +61,8 @@ module SqlInjection {
   private class ExternalSqlInjectionSink extends Sink {
     ExternalSqlInjectionSink() { ModelOutput::sinkNode(this, "sql-injection") }
   }
+
+  private class ExternalSqlInjectionSanitizer extends Sanitizer {
+    ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
index 4e02b3181e3..0cef83070a6 100644
--- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -125,6 +125,10 @@ module UrlRedirect {
    */
   class StringInterpolationAsSanitizer extends PrefixedStringInterpolation, Sanitizer { }
 
+  private class ExternalUrlRedirectSanitizer extends Sanitizer {
+    ExternalUrlRedirectSanitizer() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
+
   /**
    * These methods return a new `ActionController::Parameters` or a `Hash` containing a subset of
    * the original values. This may still contain user input, so the results are tainted.