From d27ee862427c4c2480de389a5ce19821b8ed3229 Mon Sep 17 00:00:00 2001 From: MarkLee131 Date: Wed, 29 Apr 2026 20:45:45 +0800 Subject: [PATCH] Java: refactor trust-boundary sanitizers into TrustBoundaryValidationSanitizer subclasses Address review feedback by introducing dedicated subclasses of TrustBoundaryValidationSanitizer for SimpleTypeSanitizer, RegexpCheckBarrier, and the HttpServletSession type check, so isBarrier only references the abstract class. --- .../security/TrustBoundaryViolationQuery.qll | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index 91e9b18cc9b..78589add96d 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -31,18 +31,26 @@ private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryVali ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") } } +private class SimpleTypeTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer instanceof SimpleTypeSanitizer +{ } + +private class RegexpCheckTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer instanceof RegexpCheckBarrier +{ } + +private class HttpServletSessionTypeTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer +{ + HttpServletSessionTypeTrustBoundaryValidationSanitizer() { + this.getType() instanceof HttpServletSession + } +} + /** * Taint tracking for data that crosses a trust boundary. */ module TrustBoundaryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof TrustBoundaryViolationSource } - predicate isBarrier(DataFlow::Node node) { - node instanceof TrustBoundaryValidationSanitizer or - node.getType() instanceof HttpServletSession or - node instanceof SimpleTypeSanitizer or - node instanceof RegexpCheckBarrier - } + predicate isBarrier(DataFlow::Node node) { node instanceof TrustBoundaryValidationSanitizer } predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }