Java: Support for MaD barriers and barrier guards. #20986
+469
−128
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aschackmull
force-pushed
the
java/mad-barriers
branch
3 times, most recently
from
e0f6b74 to
a40ebd1
Compare
aschackmull
changed the title
aschackmull
force-pushed
the
java/mad-barriers
branch
3 times, most recently
from
3f33faf to
8da742a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds Models-as-Data (MaD) support for Java barriers and barrier guards, enabling external specification of sanitizers that prevent taint flow. The implementation includes shared dataflow infrastructure, Java-specific implementation, and conversion of existing hardcoded sanitizers to MaD models.
Key changes:
- Added
AcceptingValueclass and barrier-related predicates to the shared dataflow framework - Implemented Java-specific barrier and barrier guard support with parameterized guard checking
- Converted hardcoded sanitizers (ESAPI validators, Pattern.quote, URI.isAbsolute, File.getName, hudson.Util.escape) to MaD models in YAML files
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll | Adds core infrastructure: AcceptingValue class, barrierElement/barrierGuardElement predicates, isBarrierNode/isBarrierGuardNode predicates, and barrier access path interpretation |
| shared/mad/codeql/mad/ModelValidation.qll | Updates validation error message to include barrier models |
| swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll | Adds stub barrier predicates (returns none()) for Swift |
| go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll | Adds stub barrier predicates (returns none()) for Go |
| csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll | Adds stub barrier predicates (returns none()) for C# |
| cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll | Adds stub barrier predicates (returns none()) for C++ |
| java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll | Implements barrierElement and barrierGuardElement predicates for Java |
| java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll | Declares extensible barrierModel and barrierGuardModel predicates |
| java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | Implements barrierNode predicate with barrier guard checking, validation, and model interpretation |
| java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll | Adds ParameterizedBarrierGuard module for parameterized guard checking |
| java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll | Adds SSA-level ParameterizedBarrierGuard module |
| java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll | Replaces PatternQuoteCall sanitizer with DefaultRegexInjectionSanitizer using barrierNode |
| java/ql/lib/semmle/code/java/security/XSS.qll | Refactors DefaultXssSanitizer to use barrierNode, splits primitives and HtmlUtils.htmlEscape into separate classes |
| java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll | Replaces EsapiValidatedInputSanitizer with DefaultTrustBoundaryValidationSanitizer using barrierNode |
| java/ql/lib/semmle/code/java/security/RequestForgery.qll | Replaces RelativeUrlSanitizer with DefaultRequestForgerySanitizer using barrierNode |
| java/ql/lib/semmle/code/java/security/PathSanitizer.qll | Replaces FileGetNameSanitizer with DefaultPathInjectionSanitizer using barrierNode |
| java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll | Deletes entire file (ESAPI classes now defined in MaD models) |
| java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll | Removes HudsonUtilXssSanitizer class (now a MaD barrier model) |
| java/ql/lib/ext/org.owasp.esapi.model.yml | Adds barrierGuardModel entries for ESAPI Validator.isValid* methods and barrierModel entries for Validator.getValid* methods |
| java/ql/lib/ext/java.util.regex.model.yml | Adds barrierModel for Pattern.quote method |
| java/ql/lib/ext/java.net.model.yml | Adds barrierGuardModel for URI.isAbsolute method |
| java/ql/lib/ext/java.io.model.yml | Adds barrierModel for File.getName method |
| java/ql/lib/ext/hudson.model.yml | Adds barrierModel for hudson.Util.escape method |
| java/ql/lib/ext/empty.model.yml | Adds empty barrierModel and barrierGuardModel extensible declarations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
Outdated
Show resolved
Hide resolved
Contributor
Author
|
Copilot is correct about the minor naming issue (which it repeats 5 times). I've pushed the small rename. |
aschackmull
added
the
no-change-note-required
aschackmull
force-pushed
the
java/mad-barriers
branch
from
0fdf3b7 to
4066c0d
Compare
owen-mc
approved these changes
Dec 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds models-as-data support for Java barriers and barrier guards. There's still some uncertainty about how to best structure the values in the kind column, hence no change-note for now.