Python: Deprecate and replace BarrierGuard class.

2025-12-22 11:46:32 +01:00 · 2022-06-17 13:34:59 +02:00
parent 87d5305f5b
commit f473a0a961
41 changed files with 186 additions and 131 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -119,16 +119,21 @@ module Path {
  }

  /** A data-flow node that checks that a path is safe to access. */
-  class SafeAccessCheck extends DataFlow::BarrierGuard instanceof SafeAccessCheck::Range {
-    override predicate checks(ControlFlowNode node, boolean branch) {
-      SafeAccessCheck::Range.super.checks(node, branch)
-    }
+  class SafeAccessCheck extends DataFlow::ExprNode {
+    SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
+  }
+
+  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+    g.(SafeAccessCheck::Range).checks(node, branch)
  }

  /** Provides a class for modeling new path safety checks. */
  module SafeAccessCheck {
    /** A data-flow node that checks that a path is safe to access. */
-    abstract class Range extends DataFlow::BarrierGuard { }
+    abstract class Range extends DataFlow::GuardNode {
+      /** Holds if this guard validates `node` upon evaluating to `branch`. */
+      abstract predicate checks(ControlFlowNode node, boolean branch);
+    }
  }
 }

--- a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
@@ -3,8 +3,44 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow

+private predicate stringConstCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(CompareNode cn | cn = g |
+    exists(StrConst str_const, Cmpop op |
+      op = any(Eq eq) and branch = true
+      or
+      op = any(NotEq ne) and branch = false
+    |
+      cn.operands(str_const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, str_const.getAFlowNode())
+    )
+    or
+    exists(IterableNode str_const_iterable, Cmpop op |
+      op = any(In in_) and branch = true
+      or
+      op = any(NotIn ni) and branch = false
+    |
+      forall(ControlFlowNode elem | elem = str_const_iterable.getAnElement() |
+        elem.getNode() instanceof StrConst
+      ) and
+      cn.operands(node, op, str_const_iterable)
+    )
+  )
+}
+
 /** A validation of unknown node by comparing with a constant string value. */
-class StringConstCompare extends DataFlow::BarrierGuard, CompareNode {
+class StringConstCompareBarrier extends DataFlow::Node {
+  StringConstCompareBarrier() {
+    this = DataFlow::BarrierGuard<stringConstCompare/3>::getABarrierNode()
+  }
+}
+
+/**
+ * DEPRECATED: Use `StringConstCompareBarrier` instead.
+ *
+ * A validation of unknown node by comparing with a constant string value.
+ */
+deprecated class StringConstCompare extends DataFlow::BarrierGuard, CompareNode {
  ControlFlowNode checked_node;
  boolean safe_branch;

--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -540,6 +540,35 @@ class GuardNode extends ControlFlowNode {
 }

 /**
+ * Holds if the guard `g` validates `node` upon evaluating to `branch`.
+ *
+ * The expression `e` is expected to be a syntactic part of the guard `g`.
+ * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
+ * the argument `x`.
+ */
+signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates a node.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module BarrierGuard<guardChecksSig/3 guardChecks> {
+  /** Gets a node that is safely guarded by the given guard check. */
+  ExprNode getABarrierNode() {
+    exists(GuardNode g, EssaDefinition def, ControlFlowNode node, boolean branch |
+      AdjacentUses::useOfDef(def, node) and
+      guardChecks(g, node, branch) and
+      AdjacentUses::useOfDef(def, result.asCfgNode()) and
+      g.controlsBlock(result.asCfgNode().getBasicBlock(), branch)
+    )
+  }
+}
+
+/**
+ * DEPRECATED: Use `BarrierGuard` module instead.
+ *
 * A guard that validates some expression.
 *
 * To use this in a configuration, extend the class and provide a
@@ -548,7 +577,7 @@ class GuardNode extends ControlFlowNode {
 *
 * It is important that all extending classes in scope are disjoint.
 */
-class BarrierGuard extends GuardNode {
+deprecated class BarrierGuard extends GuardNode {
  /** Holds if this guard validates `node` upon evaluating to `branch`. */
  abstract predicate checks(ControlFlowNode node, boolean branch);

--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -10,12 +10,6 @@ private import semmle.python.ApiGraphs
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }

-/**
- * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
 /**
 * Holds if default `TaintTracking::Configuration`s should allow implicit reads
 * of `c` at sinks and inputs to additional taint steps.
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module CodeInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "code injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module CommandInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "command injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -83,5 +85,5 @@ module CommandInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
@@ -42,14 +42,18 @@ module LdapInjection {
  abstract class FilterSanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `DnSanitizer` instead.
+   *
   * A sanitizer guard for "ldap injection" vulnerabilities.
   */
-  abstract class DnSanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class DnSanitizerGuard extends DataFlow::BarrierGuard { }

  /**
+   * DEPRECATED: Use `FilterSanitizer` instead.
+   *
   * A sanitizer guard for "ldap injection" vulnerabilities.
   */
-  abstract class FilterSanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class FilterSanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -73,12 +77,12 @@ module LdapInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsDnSanitizerGuard extends DnSanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsDnSanitizerGuard extends DnSanitizer, StringConstCompareBarrier { }

  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizerGuard, StringConstCompare {
+  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizer, StringConstCompareBarrier {
  }

  /**
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -26,7 +26,7 @@ class DnConfiguration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof DnSanitizerGuard
  }
 }
@@ -44,7 +44,7 @@ class FilterConfiguration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof FilterSanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module LogInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "log injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -51,7 +53,7 @@ module LogInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }

  /**
   * A call to replace line breaks, considered as a sanitizer.
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
@@ -90,11 +90,13 @@ deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::C

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  override predicate isSanitizer(DataFlow::Node node) {
+    node instanceof Path::SafeAccessCheck
+    or
+    node instanceof Sanitizer
+  }

  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof Path::SafeAccessCheck
-    or
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
@@ -43,9 +43,11 @@ module PathInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "path injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -68,5 +70,5 @@ module PathInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
@@ -47,11 +47,11 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Path::PathNormalization and
    state instanceof NotNormalized
    or
-    node = any(Path::SafeAccessCheck c).getAGuardedNode() and
+    node instanceof Path::SafeAccessCheck and
    state instanceof NormalizedUnchecked
  }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }

--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
@@ -44,9 +44,11 @@ module PolynomialReDoS {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -74,5 +76,5 @@ module PolynomialReDoS {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
@@ -32,9 +32,11 @@ module ReflectedXss {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "reflected server-side cross-site scripting" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -72,7 +74,7 @@ module ReflectedXss {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }

 /** DEPRECATED: Alias for ReflectedXss */
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionCustomizations.qll
@@ -40,9 +40,11 @@ module RegexInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "regular expression injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
@@ -24,7 +24,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
@@ -44,9 +44,11 @@ module ServerSideRequestForgery {
  abstract class FullUrlControlSanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "Server-side request forgery" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -78,7 +80,7 @@ module ServerSideRequestForgery {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }

  /**
   * A string construction (concat, format, f-string) where the left side is not
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -34,7 +34,7 @@ class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configura
    node instanceof FullUrlControlSanitizer
  }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
@@ -65,7 +65,7 @@ class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Config

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -33,9 +33,11 @@ module SqlInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "SQL injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -59,7 +61,7 @@ module SqlInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }

  private import semmle.python.frameworks.data.ModelsAsData

--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
@@ -32,9 +32,11 @@ module StackTraceExposure {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "stack trace exposure" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of exception info, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }

--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -32,9 +32,11 @@ module UnsafeDeserialization {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "code execution from deserialization" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -56,5 +58,5 @@ module UnsafeDeserialization {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
@@ -32,9 +32,11 @@ module UrlRedirect {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "URL redirection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
@@ -67,5 +69,5 @@ module UrlRedirect {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionCustomizations.qll
@@ -30,9 +30,11 @@ module XpathInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for "XPath injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
+++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
@@ -30,7 +30,7 @@ module InsecureRandomness {

    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
      guard instanceof SanitizerGuard
    }
  }
--- a/python/ql/src/experimental/semmle/python/security/InsecureRandomnessCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomnessCustomizations.qll
@@ -30,9 +30,11 @@ module InsecureRandomness {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
+   * DEPRECATED: Use `Sanitizer` instead.
+   *
   * A sanitizer guard for random values that are not cryptographically secure.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A random source that is not sufficient for security use. So far this is only made up
--- a/python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll
@@ -23,12 +23,10 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof StringConstCompare
-  }
-
  override predicate isSanitizer(DataFlow::Node sanitizer) {
    sanitizer = any(HtmlEscaping esc).getOutput()
+    or
+    sanitizer instanceof StringConstCompareBarrier
  }

  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
--- a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
@@ -15,22 +15,17 @@ class CsvInjectionFlowConfig extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof StartsWithCheck or
-    guard instanceof StringConstCompare
+  override predicate isSanitizer(DataFlow::Node node) {
+    node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
+    node instanceof StringConstCompareBarrier
  }
 }

-private class StartsWithCheck extends DataFlow::BarrierGuard {
-  DataFlow::MethodCallNode mc;
-
-  StartsWithCheck() {
-    this = mc.asCfgNode() and
-    mc.calls(_, "startswith")
-  }
-
-  override predicate checks(ControlFlowNode node, boolean branch) {
+private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(DataFlow::MethodCallNode mc |
+    g = mc.asCfgNode() and
+    mc.calls(_, "startswith") and
    node = mc.getObject().asCfgNode() and
    branch = true
-  }
+  )
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
@@ -2,7 +2,5 @@ import experimental.meta.InlineTaintTest
 import semmle.python.dataflow.new.BarrierGuards

 class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof StringConstCompare
-  }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof StringConstCompareBarrier }
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
@@ -4,20 +4,14 @@ failures
 isSanitizer
 | TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test.py:34:39:34:39 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test.py:52:28:52:28 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test.py:66:10:66:29 | ControlFlowNode for emulated_escaping() |
-isSanitizerGuard
-| TestTaintTrackingConfiguration | test.py:51:8:51:26 | ControlFlowNode for emulated_is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:49:8:49:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:59:8:59:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:67:12:67:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:87:8:87:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:95:12:95:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:119:8:119:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:142:12:142:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:147:16:147:25 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:152:20:152:29 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:30:28:30:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:45:28:45:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:50:28:50:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:89:28:89:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:100:28:100:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:145:28:145:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:148:28:148:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_logical.py:155:28:155:28 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test_reference.py:31:28:31:28 | ControlFlowNode for s |
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
@@ -1,14 +1,9 @@
 import experimental.meta.InlineTaintTest

-class IsSafeCheck extends DataFlow::BarrierGuard {
-  IsSafeCheck() {
-    this.(CallNode).getNode().getFunc().(Name).getId() in ["is_safe", "emulated_is_safe"]
-  }
-
-  override predicate checks(ControlFlowNode node, boolean branch) {
-    node = this.(CallNode).getAnArg() and
-    branch = true
-  }
+predicate isSafeCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  g.(CallNode).getNode().getFunc().(Name).getId() in ["is_safe", "emulated_is_safe"] and
+  node = g.(CallNode).getAnArg() and
+  branch = true
 }

 class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
@@ -19,17 +14,12 @@ class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
    )
    or
    node.asExpr().(Call).getFunc().(Name).getId() = "emulated_escaping"
+    or
+    node = DataFlow::BarrierGuard<isSafeCheck/3>::getABarrierNode()
  }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof IsSafeCheck }
 }

 query predicate isSanitizer(TestTaintTrackingConfiguration conf, DataFlow::Node node) {
  exists(node.getLocation().getFile().getRelativePath()) and
  conf.isSanitizer(node)
 }
-
-query predicate isSanitizerGuard(TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard) {
-  exists(guard.getLocation().getFile().getRelativePath()) and
-  conf.isSanitizerGuard(guard)
-}
--- a/python/ql/test/experimental/meta/debug/dataflow.qll
+++ b/python/ql/test/experimental/meta/debug/dataflow.qll
@@ -1,18 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
-
-query predicate sanitizerGuardControls(
-  TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard, ControlFlowNode node,
-  boolean branch
-) {
-  exists(guard.getLocation().getFile().getRelativePath()) and
-  conf.isSanitizerGuard(guard) and
-  guard.controlsBlock(node.getBasicBlock(), branch)
-}
-
-query predicate sanitizerGuardedNode(
-  TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard, DataFlow::ExprNode node
-) {
-  exists(guard.getLocation().getFile().getRelativePath()) and
-  conf.isSanitizerGuard(guard) and
-  node = guard.getAGuardedNode()
-}