Trust Boundary Work

java/ql/lib/semmle/code/java/frameworks/Servlets.qll

@@ -397,3 +397,7 @@ class GetServletResourceAsStreamMethod extends Method {
     this.hasName("getResourceAsStream")
   }
 }
+
+class HttpServletSession extends RefType {
+  HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") }
+}

java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll

@@ -24,6 +24,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
   TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }
 
+abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }
+
 /**
  * Taint tracking for data that crosses a trust boundary.
  */
@@ -34,6 +36,15 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
     n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr()
   }
 
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof TrustBoundaryValidationSanitizer or
+    node.getType() instanceof HttpServletSession or
+    node.asExpr()
+        .(MethodAccess)
+        .getMethod()
+        .hasQualifiedName("javax.servlet.http", "HttpServletRequest", "getMethod")
+  }
+
   predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
 }