diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll index 08a86092afb..57dfcd29117 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll @@ -35,6 +35,11 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink { DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") } } +/** External sanitizers for Intent redirection vulnerabilities. */ +private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer { + ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") } +} + /** * A default sanitizer for `Intent` nodes dominated by calls to `ComponentName.getPackageName` * and `ComponentName.getClassName`. These are used to check whether the origin or destination diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index b6b9d02e289..273c5360b81 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -37,6 +37,10 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink { DefaultCommandInjectionSink() { sinkNode(this, "command-injection") } } +private class ExternalCommandInjectionSanitizer extends CommandInjectionSanitizer { + ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") } +} + private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer { DefaultCommandInjectionSanitizer() { this instanceof SimpleTypeSanitizer diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll index 8cd5e32a5ec..6a01b2c8b18 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll @@ -49,6 +49,15 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink { DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") } } +/** + * A barrier for Fragment injection vulnerabilities. + */ +abstract class FragmentInjectionSanitizer extends DataFlow::Node { } + +private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer { + ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") } +} + private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep { override predicate step(DataFlow::Node n1, DataFlow::Node n2) { diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index 40636ffd8c2..1cb9f711b6f 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -14,6 +14,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink } + predicate isBarrier(DataFlow::Node node) { node instanceof FragmentInjectionSanitizer } + predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(FragmentInjectionAdditionalTaintStep c).step(n1, n2) } diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjection.qll b/java/ql/lib/semmle/code/java/security/GroovyInjection.qll index 45d66489777..d9a5db7b12d 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjection.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjection.qll @@ -26,6 +26,13 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink { DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") } } +/** A data flow sanitizer for Groovy expression injection vulnerabilities. */ +abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { } + +private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer { + ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") } +} + /** A set of additional taint steps to consider when taint tracking Groovy related data flows. */ private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) {