From 81667d741a8175687066289dc3e9b9d8aa3e8161 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 17 Dec 2025 10:47:45 +0000
Subject: [PATCH 1/3] Rename classes for external sanitizers

---
 java/ql/lib/semmle/code/java/security/PathSanitizer.qll       | 4 ++--
 java/ql/lib/semmle/code/java/security/RequestForgery.qll      | 4 ++--
 .../semmle/code/java/security/TrustBoundaryViolationQuery.qll | 4 ++--
 java/ql/lib/semmle/code/java/security/XSS.qll                 | 4 ++--
 .../lib/semmle/code/java/security/regexp/RegexInjection.qll   | 4 ++--
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
index 2018004a3fb5..4685f5e48f71 100644
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -289,8 +289,8 @@ private Method getSourceMethod(Method m) {
   result = m
 }
 
-private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
-  DefaultPathInjectionSanitizer() { barrierNode(this, "path-injection") }
+private class ExternalPathInjectionSanitizer extends PathInjectionSanitizer {
+  ExternalPathInjectionSanitizer() { barrierNode(this, "path-injection") }
 }
 
 /** Holds if `g` is a guard that checks for `..` components. */
diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
index 690e4f9315b9..489b45dffa2c 100644
--- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -118,8 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
   }
 }
 
-private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer {
-  DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
+private class ExternalRequestForgerySanitizer extends RequestForgerySanitizer {
+  ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
index 477aeb48b64e..d234f3df20ce 100644
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -27,8 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
  */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }
 
-private class DefaultTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
-  DefaultTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
+private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
+  ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll
index c131f868f36c..0d52d480ae7b 100644
--- a/java/ql/lib/semmle/code/java/security/XSS.qll
+++ b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -54,8 +54,8 @@ private class DefaultXssSink extends XssSink {
   }
 }
 
-private class DefaultXssSanitizer extends XssSanitizer {
-  DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+private class ExternalXssSanitizer extends XssSanitizer {
+  ExternalXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
 }
 
 /** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
index d91b411b7978..944ffca803ae 100644
--- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
@@ -21,8 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
   }
 }
 
-private class DefaultRegexInjectionSanitizer extends RegexInjectionSanitizer {
-  DefaultRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
+private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer {
+  ExternalRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
 }
 
 /**

From 766e908c79a5280164d678493da3b74e23b1e188 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 19 Dec 2025 08:13:19 +0000
Subject: [PATCH 2/3] Accept MaD sanitizers for existing sink kinds

---
 .../code/java/security/AndroidIntentRedirection.qll      | 5 +++++
 .../lib/semmle/code/java/security/CommandLineQuery.qll   | 4 ++++
 .../lib/semmle/code/java/security/FragmentInjection.qll  | 9 +++++++++
 .../semmle/code/java/security/FragmentInjectionQuery.qll | 2 ++
 .../ql/lib/semmle/code/java/security/GroovyInjection.qll | 7 +++++++
 5 files changed, 27 insertions(+)

diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
index 08a86092afbb..57dfcd29117f 100644
--- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -35,6 +35,11 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
   DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }
 
+/** External sanitizers for Intent redirection vulnerabilities. */
+private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
+  ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") }
+}
+
 /**
  * A default sanitizer for `Intent` nodes dominated by calls to `ComponentName.getPackageName`
  * and `ComponentName.getClassName`. These are used to check whether the origin or destination
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
index b6b9d02e289d..273c5360b815 100644
--- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -37,6 +37,10 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
   DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }
 
+private class ExternalCommandInjectionSanitizer extends CommandInjectionSanitizer {
+  ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") }
+}
+
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
   DefaultCommandInjectionSanitizer() {
     this instanceof SimpleTypeSanitizer
diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
index 8cd5e32a5ecd..6a01b2c8b18e 100644
--- a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
@@ -49,6 +49,15 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
   DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
 }
 
+/**
+ * A barrier for Fragment injection vulnerabilities.
+ */
+abstract class FragmentInjectionSanitizer extends DataFlow::Node { }
+
+private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer {
+  ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") }
+}
+
 private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep
 {
   override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
index 40636ffd8c25..1cb9f711b6fa 100644
--- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
@@ -14,6 +14,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof FragmentInjectionSanitizer }
+
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjection.qll b/java/ql/lib/semmle/code/java/security/GroovyInjection.qll
index 45d664897775..d9a5db7b12d3 100644
--- a/java/ql/lib/semmle/code/java/security/GroovyInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/GroovyInjection.qll
@@ -26,6 +26,13 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
   DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") }
 }
 
+/** A data flow sanitizer for Groovy expression injection vulnerabilities. */
+abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { }
+
+private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer {
+  ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") }
+}
+
 /** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
 private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {

From 8c9318b1a06634983cf401e35b013d3f7ea6b6aa Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Fri, 9 Jan 2026 09:38:10 +0000
Subject: [PATCH 3/3] Minor tweaks to QLDocs

---
 .../lib/semmle/code/java/security/AndroidIntentRedirection.qll  | 2 +-
 java/ql/lib/semmle/code/java/security/FragmentInjection.qll     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
index 57dfcd29117f..6b8ea861049e 100644
--- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -35,7 +35,7 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
   DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }
 
-/** External sanitizers for Intent redirection vulnerabilities. */
+/** An external sanitizer for Intent redirection vulnerabilities. */
 private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
   ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") }
 }
diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
index 6a01b2c8b18e..d27677b22717 100644
--- a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
@@ -50,7 +50,7 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
 }
 
 /**
- * A barrier for Fragment injection vulnerabilities.
+ * A sanitizer for Fragment injection vulnerabilities.
  */
 abstract class FragmentInjectionSanitizer extends DataFlow::Node { }