Python: Deprecate and replace BarrierGuard class.

2025-12-24 04:36:35 +01:00 · 2022-06-17 13:34:59 +02:00
parent 87d5305f5b
commit f473a0a961
41 changed files with 186 additions and 131 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -119,16 +119,21 @@ module Path {
  }
  /** A data-flow node that checks that a path is safe to access. */
-  class SafeAccessCheck extends DataFlow::BarrierGuard instanceof SafeAccessCheck::Range {
+  class SafeAccessCheck extends DataFlow::ExprNode {
-    override predicate checks(ControlFlowNode node, boolean branch) {
+    SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
-      SafeAccessCheck::Range.super.checks(node, branch)
+  }
-    }
+
  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
    g.(SafeAccessCheck::Range).checks(node, branch)
  }
  /** Provides a class for modeling new path safety checks. */
  module SafeAccessCheck {
    /** A data-flow node that checks that a path is safe to access. */
-    abstract class Range extends DataFlow::BarrierGuard { }
+    abstract class Range extends DataFlow::GuardNode {
      /** Holds if this guard validates `node` upon evaluating to `branch`. */
      abstract predicate checks(ControlFlowNode node, boolean branch);
    }
  }
 }
--- a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
@@ -3,8 +3,44 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private predicate stringConstCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
  exists(CompareNode cn | cn = g |
    exists(StrConst str_const, Cmpop op |
      op = any(Eq eq) and branch = true
      or
      op = any(NotEq ne) and branch = false
    |
      cn.operands(str_const.getAFlowNode(), op, node)
      or
      cn.operands(node, op, str_const.getAFlowNode())
    )
    or
    exists(IterableNode str_const_iterable, Cmpop op |
      op = any(In in_) and branch = true
      or
      op = any(NotIn ni) and branch = false
    |
      forall(ControlFlowNode elem | elem = str_const_iterable.getAnElement() |
        elem.getNode() instanceof StrConst
      ) and
      cn.operands(node, op, str_const_iterable)
    )
  )
 }
 /** A validation of unknown node by comparing with a constant string value. */
-class StringConstCompare extends DataFlow::BarrierGuard, CompareNode {
+class StringConstCompareBarrier extends DataFlow::Node {
  StringConstCompareBarrier() {
    this = DataFlow::BarrierGuard<stringConstCompare/3>::getABarrierNode()
  }
 }
 /**
 * DEPRECATED: Use `StringConstCompareBarrier` instead.
 *
 * A validation of unknown node by comparing with a constant string value.
 */
 deprecated class StringConstCompare extends DataFlow::BarrierGuard, CompareNode {
  ControlFlowNode checked_node;
  boolean safe_branch;
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -540,6 +540,35 @@ class GuardNode extends ControlFlowNode {
 }
 /**
 * Holds if the guard `g` validates `node` upon evaluating to `branch`.
 *
 * The expression `e` is expected to be a syntactic part of the guard `g`.
 * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
 * the argument `x`.
 */
 signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch);
 /**
 * Provides a set of barrier nodes for a guard that validates a node.
 *
 * This is expected to be used in `isBarrier`/`isSanitizer` definitions
 * in data flow and taint tracking.
 */
 module BarrierGuard<guardChecksSig/3 guardChecks> {
  /** Gets a node that is safely guarded by the given guard check. */
  ExprNode getABarrierNode() {
    exists(GuardNode g, EssaDefinition def, ControlFlowNode node, boolean branch |
      AdjacentUses::useOfDef(def, node) and
      guardChecks(g, node, branch) and
      AdjacentUses::useOfDef(def, result.asCfgNode()) and
      g.controlsBlock(result.asCfgNode().getBasicBlock(), branch)
    )
  }
 }
 /**
 * DEPRECATED: Use `BarrierGuard` module instead.
 *
 * A guard that validates some expression.
 *
 * To use this in a configuration, extend the class and provide a
@@ -548,7 +577,7 @@ class GuardNode extends ControlFlowNode {
 *
 * It is important that all extending classes in scope are disjoint.
 */
-class BarrierGuard extends GuardNode {
+deprecated class BarrierGuard extends GuardNode {
  /** Holds if this guard validates `node` upon evaluating to `branch`. */
  abstract predicate checks(ControlFlowNode node, boolean branch);
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -10,12 +10,6 @@ private import semmle.python.ApiGraphs
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 /**
 * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
 * but not in local taint.
 */
 predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 /**
 * Holds if default `TaintTracking::Configuration`s should allow implicit reads
 * of `c` at sinks and inputs to additional taint steps.
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module CodeInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "code injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module CommandInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "command injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -83,5 +85,5 @@ module CommandInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
@@ -42,14 +42,18 @@ module LdapInjection {
  abstract class FilterSanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `DnSanitizer` instead.
   *
   * A sanitizer guard for "ldap injection" vulnerabilities.
   */
-  abstract class DnSanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class DnSanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * DEPRECATED: Use `FilterSanitizer` instead.
   *
   * A sanitizer guard for "ldap injection" vulnerabilities.
   */
-  abstract class FilterSanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class FilterSanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -73,12 +77,12 @@ module LdapInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsDnSanitizerGuard extends DnSanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsDnSanitizerGuard extends DnSanitizer, StringConstCompareBarrier { }
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizerGuard, StringConstCompare {
+  class StringConstCompareAsFilterSanitizerGuard extends FilterSanitizer, StringConstCompareBarrier {
  }
  /**
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -26,7 +26,7 @@ class DnConfiguration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof DnSanitizerGuard
  }
 }
@@ -44,7 +44,7 @@ class FilterConfiguration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof FilterSanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
@@ -32,9 +32,11 @@ module LogInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "log injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -51,7 +53,7 @@ module LogInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
  /**
   * A call to replace line breaks, considered as a sanitizer.
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll
@@ -90,11 +90,13 @@ deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::C
  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  override predicate isSanitizer(DataFlow::Node node) {
    node instanceof Path::SafeAccessCheck
    or
    node instanceof Sanitizer
  }
  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof Path::SafeAccessCheck
    or
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
@@ -43,9 +43,11 @@ module PathInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "path injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -68,5 +70,5 @@ module PathInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
@@ -47,11 +47,11 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Path::PathNormalization and
    state instanceof NotNormalized
    or
-    node = any(Path::SafeAccessCheck c).getAGuardedNode() and
+    node instanceof Path::SafeAccessCheck and
    state instanceof NormalizedUnchecked
  }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
@@ -44,9 +44,11 @@ module PolynomialReDoS {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -74,5 +76,5 @@ module PolynomialReDoS {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
@@ -32,9 +32,11 @@ module ReflectedXss {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "reflected server-side cross-site scripting" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -72,7 +74,7 @@ module ReflectedXss {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
 /** DEPRECATED: Alias for ReflectedXss */
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionCustomizations.qll
@@ -40,9 +40,11 @@ module RegexInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "regular expression injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
@@ -24,7 +24,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
@@ -44,9 +44,11 @@ module ServerSideRequestForgery {
  abstract class FullUrlControlSanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "Server-side request forgery" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -78,7 +80,7 @@ module ServerSideRequestForgery {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
  /**
   * A string construction (concat, format, f-string) where the left side is not
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -34,7 +34,7 @@ class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configura
    node instanceof FullUrlControlSanitizer
  }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
@@ -65,7 +65,7 @@ class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Config
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -33,9 +33,11 @@ module SqlInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "SQL injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -59,7 +61,7 @@ module SqlInjection {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
  private import semmle.python.frameworks.data.ModelsAsData
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
@@ -32,9 +32,11 @@ module StackTraceExposure {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "stack trace exposure" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of exception info, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -32,9 +32,11 @@ module UnsafeDeserialization {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "code execution from deserialization" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -56,5 +58,5 @@ module UnsafeDeserialization {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
@@ -32,9 +32,11 @@ module UrlRedirect {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "URL redirection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
@@ -67,5 +69,5 @@ module UrlRedirect {
  /**
   * A comparison with a constant string, considered as a sanitizer-guard.
   */
-  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+  class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionCustomizations.qll
@@ -30,9 +30,11 @@ module XpathInjection {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for "XPath injection" vulnerabilities.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A source of remote user input, considered as a flow source.
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
@@ -23,7 +23,7 @@ class Configuration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof SanitizerGuard
  }
 }
--- a/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
+++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
@@ -30,7 +30,7 @@ module InsecureRandomness {
    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
      guard instanceof SanitizerGuard
    }
  }
--- a/python/ql/src/experimental/semmle/python/security/InsecureRandomnessCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomnessCustomizations.qll
@@ -30,9 +30,11 @@ module InsecureRandomness {
  abstract class Sanitizer extends DataFlow::Node { }
  /**
   * DEPRECATED: Use `Sanitizer` instead.
   *
   * A sanitizer guard for random values that are not cryptographically secure.
   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+  abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
  /**
   * A random source that is not sufficient for security use. So far this is only made up
--- a/python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll
@@ -23,12 +23,10 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof StringConstCompare
  }
  override predicate isSanitizer(DataFlow::Node sanitizer) {
    sanitizer = any(HtmlEscaping esc).getOutput()
    or
    sanitizer instanceof StringConstCompareBarrier
  }
  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
--- a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
@@ -15,22 +15,17 @@ class CsvInjectionFlowConfig extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  override predicate isSanitizer(DataFlow::Node node) {
-    guard instanceof StartsWithCheck or
+    node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
-    guard instanceof StringConstCompare
+    node instanceof StringConstCompareBarrier
  }
 }
-private class StartsWithCheck extends DataFlow::BarrierGuard {
+private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
-  DataFlow::MethodCallNode mc;
+  exists(DataFlow::MethodCallNode mc |
-
+    g = mc.asCfgNode() and
-  StartsWithCheck() {
+    mc.calls(_, "startswith") and
    this = mc.asCfgNode() and
    mc.calls(_, "startswith")
  }
  override predicate checks(ControlFlowNode node, boolean branch) {
    node = mc.getObject().asCfgNode() and
    branch = true
-  }
+  )
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
@@ -2,7 +2,5 @@ import experimental.meta.InlineTaintTest
 import semmle.python.dataflow.new.BarrierGuards
 class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof StringConstCompareBarrier }
    guard instanceof StringConstCompare
  }
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
@@ -4,20 +4,14 @@ failures
 isSanitizer
 | TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test.py:34:39:34:39 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test.py:52:28:52:28 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test.py:66:10:66:29 | ControlFlowNode for emulated_escaping() |
-isSanitizerGuard
+| TestTaintTrackingConfiguration | test_logical.py:30:28:30:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test.py:51:8:51:26 | ControlFlowNode for emulated_is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:45:28:45:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:50:28:50:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:89:28:89:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:49:8:49:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:100:28:100:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:59:8:59:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:145:28:145:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:67:12:67:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:148:28:148:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:87:8:87:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:155:28:155:28 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test_logical.py:95:12:95:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_reference.py:31:28:31:28 | ControlFlowNode for s |
 | TestTaintTrackingConfiguration | test_logical.py:119:8:119:17 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_logical.py:142:12:142:21 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_logical.py:147:16:147:25 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_logical.py:152:20:152:29 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
 | TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
@@ -1,14 +1,9 @@
 import experimental.meta.InlineTaintTest
-class IsSafeCheck extends DataFlow::BarrierGuard {
+predicate isSafeCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
-  IsSafeCheck() {
+  g.(CallNode).getNode().getFunc().(Name).getId() in ["is_safe", "emulated_is_safe"] and
-    this.(CallNode).getNode().getFunc().(Name).getId() in ["is_safe", "emulated_is_safe"]
+  node = g.(CallNode).getAnArg() and
-  }
+  branch = true
  override predicate checks(ControlFlowNode node, boolean branch) {
    node = this.(CallNode).getAnArg() and
    branch = true
  }
 }
 class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
@@ -19,17 +14,12 @@ class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
    )
    or
    node.asExpr().(Call).getFunc().(Name).getId() = "emulated_escaping"
    or
    node = DataFlow::BarrierGuard<isSafeCheck/3>::getABarrierNode()
  }
  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof IsSafeCheck }
 }
 query predicate isSanitizer(TestTaintTrackingConfiguration conf, DataFlow::Node node) {
  exists(node.getLocation().getFile().getRelativePath()) and
  conf.isSanitizer(node)
 }
 query predicate isSanitizerGuard(TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard) {
  exists(guard.getLocation().getFile().getRelativePath()) and
  conf.isSanitizerGuard(guard)
 }
--- a/python/ql/test/experimental/meta/debug/dataflow.qll
+++ b/python/ql/test/experimental/meta/debug/dataflow.qll
@@ -1,18 +0,0 @@
 import experimental.dataflow.tainttracking.TestTaintLib
 query predicate sanitizerGuardControls(
  TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard, ControlFlowNode node,
  boolean branch
 ) {
  exists(guard.getLocation().getFile().getRelativePath()) and
  conf.isSanitizerGuard(guard) and
  guard.controlsBlock(node.getBasicBlock(), branch)
 }
 query predicate sanitizerGuardedNode(
  TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard, DataFlow::ExprNode node
 ) {
  exists(guard.getLocation().getFile().getRelativePath()) and
  conf.isSanitizerGuard(guard) and
  node = guard.getAGuardedNode()
 }