Change how sql-injection barriers are accepted

owen-mc · owen-mc · commit 1d7a39a093a7 · 2026-02-17T22:26:58.000Z
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -9,6 +9,7 @@ private import codeql.ruby.CFG
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
 private import codeql.ruby.Frameworks
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.Regexp as RE
@@ -95,6 +96,10 @@ module SqlSanitization {
   abstract class Range extends DataFlow::Node { }
 }
 
+private class ExternalSqlInjectionSanitizer extends SqlSanitization::Range {
+  ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }
+}
+
 /**
  * A data-flow node that executes a regular expression.
  *
diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
@@ -61,8 +61,4 @@ module SqlInjection {
   private class ExternalSqlInjectionSink extends Sink {
     ExternalSqlInjectionSink() { ModelOutput::sinkNode(this, "sql-injection") }
   }
-
-  private class ExternalSqlInjectionSanitizer extends Sanitizer {
-    ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }
-  }
 }

Original file line number	Diff line number	Diff line change
`@@ -61,8 +61,4 @@ module SqlInjection {`
`61`	`61`	`private class ExternalSqlInjectionSink extends Sink {`
`62`	`62`	`ExternalSqlInjectionSink() { ModelOutput::sinkNode(this, "sql-injection") }`
`63`	`63`	`}`
`64`		`-`
`65`		`- private class ExternalSqlInjectionSanitizer extends Sanitizer {`
`66`		`- ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }`
`67`		`- }`
`68`	`64`	`}`