Java: refactor trust-boundary sanitizers into TrustBoundaryValidationSanitizer subclasses

Address review feedback by introducing dedicated subclasses of TrustBoundaryValidationSanitizer for SimpleTypeSanitizer, RegexpCheckBarrier, and the HttpServletSession type check, so isBarrier only references the abstract class.
2026-05-14 11:19:27 +02:00 · 2026-04-29 20:45:45 +08:00
parent af794ed3c0
commit d27ee86242
1 changed files with 14 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -31,18 +31,26 @@ private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryVali
  ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
 }

+private class SimpleTypeTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer instanceof SimpleTypeSanitizer
+{ }
+
+private class RegexpCheckTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer instanceof RegexpCheckBarrier
+{ }
+
+private class HttpServletSessionTypeTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer
+{
+  HttpServletSessionTypeTrustBoundaryValidationSanitizer() {
+    this.getType() instanceof HttpServletSession
+  }
+}
+
 /**
 * Taint tracking for data that crosses a trust boundary.
 */
 module TrustBoundaryConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof TrustBoundaryViolationSource }

-  predicate isBarrier(DataFlow::Node node) {
-    node instanceof TrustBoundaryValidationSanitizer or
-    node.getType() instanceof HttpServletSession or
-    node instanceof SimpleTypeSanitizer or
-    node instanceof RegexpCheckBarrier
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof TrustBoundaryValidationSanitizer }

  predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }