Allow MaD sanitizers for java/insecure-bean-validation

Author: owen-mc

java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll

@@ -50,6 +50,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof BeanValidationSanitizer }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
@@ -65,3 +67,10 @@ abstract class BeanValidationSink extends DataFlow::Node { }
 private class ExternalBeanValidationSink extends BeanValidationSink {
   ExternalBeanValidationSink() { sinkNode(this, "bean-validation") }
 }
+
+/** A bean validation sanitizer. */
+abstract class BeanValidationSanitizer extends DataFlow::Node { }
+
+private class ExternalBeanValidationSanitizer extends BeanValidationSanitizer {
+  ExternalBeanValidationSanitizer() { barrierNode(this, "bean-validation") }
+}