Convert request forgery barrier guard to MaD

owen-mc · owen-mc · commit a2c389c31ed6 · 2025-12-11T09:56:03.000Z
diff --git a/java/ql/lib/ext/java.net.model.yml b/java/ql/lib/ext/java.net.model.yml
@@ -34,6 +34,11 @@ extensions:
       - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierGuardModel
+    data:
+      - ["java.net", "URI", True, "isAbsolute", "()", "", "Argument[this]", "false", "request-forgery", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -118,25 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
   }
 }
 
-/**
- * A check that the URL is relative, and therefore safe for URL redirects.
- */
-private predicate isRelativeUrlSanitizer(Guard guard, Expr e, boolean branch) {
-  guard =
-    any(MethodCall call |
-      call.getMethod().hasQualifiedName("java.net", "URI", "isAbsolute") and
-      e = call.getQualifier() and
-      branch = false
-    )
-}
-
-/**
- * A check that the URL is relative, and therefore safe for URL redirects.
- */
-private class RelativeUrlSanitizer extends RequestForgerySanitizer {
-  RelativeUrlSanitizer() {
-    this = DataFlow::BarrierGuard<isRelativeUrlSanitizer/3>::getABarrierNode()
-  }
+private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer {
+  DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
 }
 
 /**
