Convert XSS barrier to MaD

owen-mc · aschackmull · commit befccacdf9a8 · 2025-12-11T13:36:46.000+01:00
diff --git a/java/ql/lib/ext/hudson.model.yml b/java/ql/lib/ext/hudson.model.yml
@@ -50,6 +50,12 @@ extensions:
       - ["hudson", "FilePath", False, "readToString", "", "", "ReturnValue", "file", "manual"]
       - ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"]
       - ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["hudson", "Util", True, "escape", "(String)", "", "ReturnValue", "html-injection", "manual"]
+        # Not including xmlEscape because it only accounts for >, <, and &. It does not account for ", or ', which makes it an incomplete XSS sanitizer.
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll b/java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll
@@ -14,14 +14,3 @@ class HudsonWebMethod extends Method {
     this.getDeclaringType().getASourceSupertype*().hasQualifiedName("hudson.model", "Descriptor")
   }
 }
-
-private class HudsonUtilXssSanitizer extends XssSanitizer {
-  HudsonUtilXssSanitizer() {
-    this.asExpr()
-        .(MethodCall)
-        .getMethod()
-        // Not including xmlEscape because it only accounts for >, <, and &.
-        // It does not account for ", or ', which makes it an incomplete XSS sanitizer.
-        .hasQualifiedName("hudson", "Util", "escape")
-  }
-}
diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -54,12 +54,24 @@ private class DefaultXssSink extends XssSink {
   }
 }
 
-/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
 private class DefaultXssSanitizer extends XssSanitizer {
-  DefaultXssSanitizer() {
+  DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+}
+
+/** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
+private class PrimitiveSanitizer extends XssSanitizer {
+  PrimitiveSanitizer() {
     this.getType() instanceof NumericType or
-    this.getType() instanceof BooleanType or
-    // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
+    this.getType() instanceof BooleanType
+  }
+}
+
+/**
+ * A call to `org.springframework.web.util.HtmlUtils.htmlEscape`, or possibly
+ * other methods like it, considered as a sanitizer for XSS.
+ */
+private class HtmlEscapeXssSanitizer extends XssSanitizer {
+  HtmlEscapeXssSanitizer() {
     this.asExpr().(MethodCall).getMethod().getName().regexpMatch("(?i)html_?escape.*")
   }
 }
