Convert libraries to use instanceof SimpleScalarSanitizer

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 private class ShortStringLiteral extends StringLiteral {
   ShortStringLiteral() { this.getValue().length() < 100 }
@@ -27,9 +28,7 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -12,6 +12,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.CommandArguments
 private import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -38,11 +39,7 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
   DefaultCommandInjectionSanitizer() {
-    this.getType() instanceof PrimitiveType
-    or
-    this.getType() instanceof BoxedType
-    or
-    this.getType() instanceof NumberType
+    this instanceof SimpleScalarSanitizer
     or
     isSafeCommandArgument(this.asExpr())
   }

java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
 module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
@@ -12,9 +13,7 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleScalarSanitizer
     or
     isSafeCommandArgument(node.asExpr())
   }

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.HttpsUrls
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead.
@@ -38,9 +39,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.security.JndiInjection
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * DEPRECATED: Use `JndiInjectionFlow` instead.
@@ -19,8 +20,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleScalarSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 
@@ -38,8 +38,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleScalarSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 

java/ql/lib/semmle/code/java/security/LdapInjection.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.UnboundId
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.frameworks.ApacheLdap
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
 abstract class LdapInjectionSink extends DataFlow::Node { }
@@ -33,11 +34,7 @@ private class DefaultLdapInjectionSink extends LdapInjectionSink {
 }
 
 /** A sanitizer that clears the taint on (boxed) primitive types. */
-private class DefaultLdapSanitizer extends LdapInjectionSanitizer {
-  DefaultLdapSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType
-  }
+private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleScalarSanitizer {
 }
 
 /**

java/ql/lib/semmle/code/java/security/LogInjection.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A data flow sink for unvalidated user input that is used to log messages. */
 abstract class LogInjectionSink extends DataFlow::Node { }
@@ -30,13 +31,8 @@ private class DefaultLogInjectionSink extends LogInjectionSink {
   DefaultLogInjectionSink() { sinkNode(this, "log-injection") }
 }
 
-private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer {
-  DefaultLogInjectionSanitizer() {
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof NumericType
-  }
-}
+private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleScalarSanitizer
+{ }
 
 private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
   LineBreaksLogInjectionSanitizer() {

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.OgnlInjection
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * DEPRECATED: Use `OgnlInjectionFlow` instead.
@@ -33,9 +34,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -10,6 +10,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.frameworks.Properties
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks.
@@ -59,12 +60,7 @@ private class DefaultRequestForgerySink extends RequestForgerySink {
 /** A sanitizer for request forgery vulnerabilities. */
 abstract class RequestForgerySanitizer extends DataFlow::Node { }
 
-private class PrimitiveSanitizer extends RequestForgerySanitizer {
-  PrimitiveSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
-  }
+private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleScalarSanitizer {
 }
 
 private class HostnameSanitizingPrefix extends InterestingPrefix {

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -2,6 +2,7 @@
 
 import java
 private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import semmle.code.java.security.ResponseSplitting
 
 /**
@@ -16,9 +17,7 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleScalarSanitizer
     or
     exists(MethodCall ma, string methodName, CompileTimeConstantExpr target |
       node.asExpr() = ma and

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.frameworks.android.Compose
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A variable that may hold sensitive information, judging by its name. */
 class CredentialExpr extends Expr {
@@ -55,9 +56,7 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.asExpr() instanceof LiveLiteral or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleScalarSanitizer or
     sanitizer.getType() instanceof TypeType
   }
 

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.SqlConcatenatedLib
 private import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 private class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
   UncontrolledStringBuilderSource() {
@@ -22,9 +23,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll

@@ -8,6 +8,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import semmle.code.java.security.QueryInjection
 
 /**
@@ -41,11 +42,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)

java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll

@@ -6,6 +6,7 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * A taint-tracking configuration for reasoning about local user input that is
@@ -16,11 +17,7 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -6,6 +6,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * A unit class for adding additional taint steps.
@@ -57,9 +58,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleScalarSanitizer or
     sanitizer instanceof PathInjectionSanitizer
   }
 
@@ -80,9 +79,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer.getType() instanceof BoxedType or
-    sanitizer.getType() instanceof PrimitiveType or
-    sanitizer.getType() instanceof NumberType or
+    sanitizer instanceof SimpleScalarSanitizer or
     sanitizer instanceof PathInjectionSanitizer
   }
 

java/ql/lib/semmle/code/java/security/TemplateInjection.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * A source for server-side template injection (SST) vulnerabilities.
@@ -89,10 +90,5 @@ private class DefaultTemplateInjectionSink extends TemplateInjectionSink {
   DefaultTemplateInjectionSink() { sinkNode(this, "template-injection") }
 }
 
-private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer {
-  DefaultTemplateInjectionSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumericType
-  }
-}
+private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer instanceof SimpleScalarSanitizer
+{ }

java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll

@@ -6,6 +6,7 @@ private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.frameworks.owasp.Esapi
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * A source of data that crosses a trust boundary.
@@ -57,9 +58,7 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TrustBoundaryValidationSanitizer or
     node.getType() instanceof HttpServletSession or
-    node.getType() instanceof NumberType or
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleScalarSanitizer
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.frameworks.android.Android
 private import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A URI that gets resolved by a `ContentResolver`. */
 abstract class ContentUriResolutionSink extends DataFlow::Node { }
@@ -42,13 +43,8 @@ private class UriOpeningContentResolverMethod extends Method {
   }
 }
 
-private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer {
-  UninterestingTypeSanitizer() {
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof NumberType
-  }
-}
+private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer instanceof SimpleScalarSanitizer
+{ }
 
 private class PathSanitizer extends ContentUriResolutionSanitizer instanceof PathInjectionSanitizer {
 }

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XmlParsers
 import semmle.code.java.security.XsltInjection
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /**
  * DEPRECATED: Use `XsltInjectionFlow` instead.
@@ -35,9 +36,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -5,6 +5,7 @@ import codeql.regex.nfa.SuperlinearBackTracking::Make<TreeView> as SuperlinearBa
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexFlowConfigs
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 /** A sink for polynomial redos queries, where a regex is matched. */
 class PolynomialRedosSink extends DataFlow::Node {
@@ -75,8 +76,7 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleScalarSanitizer or
     node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
   }
 }