Allow MaD sanitizers for queries with MaD sinks

Author: owen-mc

python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll

@@ -60,4 +60,11 @@ module CodeInjection {
 
   /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
   deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
+
+  /**
+   * A sanitizer defined via models-as-data with kind "code-injection".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll

@@ -95,4 +95,11 @@ module CommandInjection {
 
   /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
   deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
+
+  /**
+   * A sanitizer defined via models-as-data with kind "command-injection".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll

@@ -106,4 +106,11 @@ module LogInjection {
       this.getArg(0).asExpr().(StringLiteral).getText() in ["\r\n", "\n"]
     }
   }
+
+  /**
+   * A sanitizer defined via models-as-data with kind "log-injection".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll

@@ -84,4 +84,11 @@ module ReflectedXss {
 
   /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
   deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
+
+  /**
+   * A sanitizer defined via models-as-data with kind "html-injection" or "js-injection".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, ["html-injection", "js-injection"]) }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll

@@ -69,4 +69,11 @@ module SqlInjection {
   private class DataAsSqlSink extends Sink {
     DataAsSqlSink() { ModelOutput::sinkNode(this, "sql-injection") }
   }
+
+  /**
+   * A sanitizer defined via models-as-data with kind "sql-injection".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll

@@ -65,4 +65,11 @@ module UnsafeDeserialization {
 
   /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
   deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
+
+  /**
+   * A sanitizer defined via models-as-data with kind "unsafe-deserialization".
+   */
+  class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") }
+  }
 }

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -105,6 +105,15 @@ class CredentialSink extends DataFlow::Node {
   }
 }
 
+class CredentialSanitizer extends DataFlow::Node {
+  CredentialSanitizer() {
+    exists(string s | s.matches("credentials-%") |
+      // Whatever the string, this will sanitize flow to all credential sinks.
+      ModelOutput::barrierNode(this, s)
+    )
+  }
+}
+
 /**
  * Gets a regular expression for matching names of locations (variables, parameters, keys) that
  * indicate the value being held is a credential.
@@ -120,6 +129,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof CredentialSanitizer }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }