Allow MaD barriers

owen-mc · owen-mc · commit 656ebab776dd · 2026-01-21T14:45:05.000Z
This commit was done by Opus 4.5 with the following prompt: In the commit 004d40e I have made it so that C# CodeQL queries which use sinks defined using data extensions (also known as "models-as-data"), which are accessed using `sinkNode(Node node, string kind)`, also use barriers defined using models-as-data, which are accessed using `barrierNode(Node node, string kind)`, with the same `kind` string. Please do the same for C++. If there are any complicated cases then list them at the end for me to do manually.
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -45,6 +45,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
+    or
+    // barrier defined using models-as-data
+    barrierNode(node, "sql-injection")
   }
 
   predicate isBarrierIn(DataFlow::Node node) {

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {`
`45`	`45`
`46`	`46`	`predicate isBarrier(DataFlow::Node node) {`
`47`	`47`	`node.asExpr().getUnspecifiedType() instanceof IntegralType`
	`48`	`+ or`
	`49`	`+ // barrier defined using models-as-data`
	`50`	`+ barrierNode(node, "sql-injection")`
`48`	`51`	`}`
`49`	`52`
`50`	`53`	`predicate isBarrierIn(DataFlow::Node node) {`