Allow query-specific MaD sanitizers

owen-mc · owen-mc · commit 10c5a4766257 · 2025-12-16T17:36:45.000Z
diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -45,7 +45,10 @@ module AllocationSizeOverflow {
 
     predicate isSink(DataFlow::Node sink) { isSinkWithAllocationSize(sink, _) }
 
-    predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/allocation-size-overflow")
+    }
 
     predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
       additionalStep(pred, succ)
diff --git a/go/ql/lib/semmle/go/security/CleartextLogging.qll b/go/ql/lib/semmle/go/security/CleartextLogging.qll
@@ -24,6 +24,8 @@ module CleartextLogging {
     predicate isBarrier(DataFlow::Node node) {
       node instanceof Barrier
       or
+      barrierNode(node, "go/clear-text-logging")
+      or
       exists(DataFlow::CallNode call | node = call.getResult() |
         call.getTarget() = Builtin::error().getType().getMethod("Error")
         or
diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll
@@ -23,7 +23,9 @@ module CommandInjection {
       exists(Sink s | sink = s | not s.doubleDashIsSanitizing())
     }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or barrierNode(node, "go/command-injection")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
@@ -80,6 +82,7 @@ module CommandInjection {
 
     predicate isBarrier(DataFlow::Node node) {
       node instanceof Sanitizer or
+      barrierNode(node, "go/command-injection") or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
 
diff --git a/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll b/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
@@ -23,6 +23,8 @@ private module SensitiveCookieNameConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/cookie-httponly-not-set") }
+
   predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(Http::CookieOptionWrite co | co.getName() = pred and co.getCookieOutput() = succ)
   }
diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll
@@ -24,7 +24,10 @@ module InsecureRandomness {
 
     predicate isSink(DataFlow::Node sink) { isSinkWithKind(sink, _) }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/insecure-randomness")
+    }
 
     predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
 
diff --git a/go/ql/lib/semmle/go/security/LogInjection.qll b/go/ql/lib/semmle/go/security/LogInjection.qll
@@ -20,7 +20,10 @@ module LogInjection {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/log-injection")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
@@ -20,6 +20,8 @@ module MissingJwtSignatureCheck {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+    predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/missing-jwt-signature-check") }
+
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
@@ -22,7 +22,10 @@ module OpenUrlRedirect {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Barrier or
+      barrierNode(node, "go/unvalidated-url-redirection")
+    }
 
     predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
       // taint steps that do not include flow through fields
diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll
@@ -21,7 +21,10 @@ module ReflectedXss {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/reflected-xss")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
 
diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -21,7 +21,10 @@ module RequestForgery {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/request-forgery")
+    }
 
     predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
 
diff --git a/go/ql/lib/semmle/go/security/SqlInjection.qll b/go/ql/lib/semmle/go/security/SqlInjection.qll
@@ -22,7 +22,9 @@ module SqlInjection {
       NoSql::isAdditionalMongoTaintStep(pred, succ)
     }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or barrierNode(node, "go/sql-injection")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/StoredCommand.qll b/go/ql/lib/semmle/go/security/StoredCommand.qll
@@ -25,7 +25,9 @@ module StoredCommand {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof CommandInjection::Sanitizer or barrierNode(node, "go/stored-command")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/StoredXss.qll b/go/ql/lib/semmle/go/security/StoredXss.qll
@@ -21,7 +21,10 @@ module StoredXss {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/stored-xss")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/TaintedPath.qll b/go/ql/lib/semmle/go/security/TaintedPath.qll
@@ -16,7 +16,10 @@ module TaintedPath {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/path-injection")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll
@@ -18,7 +18,10 @@ module UncontrolledAllocationSize {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/uncontrolled-allocation-size")
+    }
 
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       exists(Function f, DataFlow::CallNode cn | cn = f.getACall() |
diff --git a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
@@ -43,7 +43,10 @@ module UnsafeUnzipSymlink {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof SymlinkSanitizer or
+      barrierNode(node, "go/unsafe-unzip-symlink")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/XPathInjection.qll b/go/ql/lib/semmle/go/security/XPathInjection.qll
@@ -18,7 +18,10 @@ module XPathInjection {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/xml/xpath-injection")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/lib/semmle/go/security/ZipSlip.qll b/go/ql/lib/semmle/go/security/ZipSlip.qll
@@ -16,7 +16,10 @@ module ZipSlip {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      barrierNode(node, "go/zipslip")
+    }
 
     predicate observeDiffInformedIncrementalMode() { any() }
   }
diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
@@ -129,6 +129,8 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/unhandled-writable-file-close") }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
@@ -100,6 +100,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {
     not regexpGuardsError(sink)
   }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/incomplete-hostname-regexp") }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     StringOps::Concatenation::taintStep(node1, node2)
   }
diff --git a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
@@ -41,6 +41,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/suspicious-character-in-regex") }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
diff --git a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
@@ -83,6 +83,8 @@ module UntrustedToTemplateExecWithConversionConfig implements DataFlow::StateCon
   predicate isBarrier(DataFlow::Node node) {
     node instanceof SharedXss::Sanitizer and not node instanceof SharedXss::HtmlTemplateSanitizer
     or
+    barrierNode(node, "go/html-template-escaping-bypass-xss")
+    or
     node.getType() instanceof NumericType
   }
 
diff --git a/go/ql/src/Security/CWE-209/StackTraceExposure.ql b/go/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -61,6 +61,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
     |
       cgn.dominates(node.getBasicBlock())
     )
+    or
+    barrierNode(node, "go/stack-trace-exposure")
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -69,6 +69,8 @@ module Config implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/insecure-hostkeycallback") }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql
@@ -23,7 +23,8 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    node = DataFlow::BarrierGuard<comparisonBarrierGuard/3>::getABarrierNode()
+    node = DataFlow::BarrierGuard<comparisonBarrierGuard/3>::getABarrierNode() or
+    barrierNode(node, "go/weak-crypto-key")
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
diff --git a/go/ql/src/Security/CWE-327/InsecureTLS.ql b/go/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -71,6 +71,8 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { intIsSource(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
+
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/insecure-tls") }
 }
 
 /**
@@ -195,6 +197,8 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/insecure-tls") }
+
   /**
    * Declare sinks as out-sanitizers in order to avoid producing superfluous paths where a cipher
    * is written to CipherSuites, then the list is further extended with either safe or tainted
diff --git a/go/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql b/go/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -28,7 +28,10 @@ module NormalHashFunctionFlow {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Barrier or
+      barrierNode(node, "go/weak-sensitive-data-hashing")
+    }
 
     predicate isBarrierIn(DataFlow::Node node) {
       // make sources barriers so that we only report the closest instance
@@ -61,7 +64,10 @@ module ComputationallyExpensiveHashFunctionFlow {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Barrier or
+      barrierNode(node, "go/weak-sensitive-data-hashing")
+    }
 
     predicate isBarrierIn(DataFlow::Node node) {
       // make sources barriers so that we only report the closest instance
diff --git a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -41,6 +41,8 @@ module ConstantStateFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/constant-oauth2-state") }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
@@ -110,6 +110,8 @@ module Config implements DataFlow::ConfigSig {
     exists(Write w | w.writesField(node2, _, node1))
   }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/bad-redirect-check") }
+
   predicate isBarrierOut(DataFlow::Node node) {
     // assume this value is safe if something is prepended to it.
     exists(StringOps::Concatenation conc, int i, int j | i < j |
diff --git a/go/ql/src/Security/CWE-640/EmailInjection.qll b/go/ql/src/Security/CWE-640/EmailInjection.qll
@@ -21,6 +21,8 @@ module EmailInjection {
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+    predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/email-injection") }
+
     predicate observeDiffInformedIncrementalMode() { any() }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,9 @@ module CommandInjection {`
`23`	`23`	`exists(Sink s \| sink = s \| not s.doubleDashIsSanitizing())`
`24`	`24`	`}`
`25`	`25`
`26`		`- predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`26`	`+ predicate isBarrier(DataFlow::Node node) {`
	`27`	`+ node instanceof Sanitizer or barrierNode(node, "go/command-injection")`
	`28`	`+ }`
`27`	`29`
`28`	`30`	`predicate observeDiffInformedIncrementalMode() { any() }`
`29`	`31`	`}`
`@@ -80,6 +82,7 @@ module CommandInjection {`
`80`	`82`
`81`	`83`	`predicate isBarrier(DataFlow::Node node) {`
`82`	`84`	`node instanceof Sanitizer or`
	`85`	`+ barrierNode(node, "go/command-injection") or`
`83`	`86`	`node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()`
`84`	`87`	`}`
`85`	`88`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ private module SensitiveCookieNameConfig implements DataFlow::ConfigSig {`
`23`	`23`
`24`	`24`	`predicate isSink(DataFlow::Node sink) { isSink(sink, _) }`
`25`	`25`
	`26`	`+ predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/cookie-httponly-not-set") }`
	`27`	`+`
`26`	`28`	`predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {`
`27`	`29`	`exists(Http::CookieOptionWrite co \| co.getName() = pred and co.getCookieOutput() = succ)`
`28`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,10 @@ module LogInjection {`
`20`	`20`
`21`	`21`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`22`	`22`
`23`		`- predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }`
	`23`	`+ predicate isBarrier(DataFlow::Node node) {`
	`24`	`+ node instanceof Sanitizer or`
	`25`	`+ barrierNode(node, "go/log-injection")`
	`26`	`+ }`
`24`	`27`
`25`	`28`	`predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ module MissingJwtSignatureCheck {`
`20`	`20`
`21`	`21`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`22`	`22`
	`23`	`+ predicate isBarrier(DataFlow::Node node) { barrierNode(node, "go/missing-jwt-signature-check") }`
	`24`	`+`
`23`	`25`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`26`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`27`	`}`