Allow MaD sanitizers for java/non-https-url

Author: owen-mc

java/ql/lib/semmle/code/java/security/HttpsUrls.qll

@@ -8,6 +8,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.frameworks.ApacheHttp
 private import semmle.code.java.frameworks.Networking
+private import semmle.code.java.security.Sanitizers
 
 /**
  * String of HTTP URLs not in private domains.
@@ -36,6 +37,17 @@ private class DefaultUrlOpenSink extends UrlOpenSink {
   DefaultUrlOpenSink() { sinkNode(this, "request-forgery") }
 }
 
+/**
+ * A sanitizer to URL opening.
+ */
+abstract class UrlOpenSanitizer extends DataFlow::Node { }
+
+private class SimpleTypeUrlOpenSanitizer extends UrlOpenSanitizer instanceof SimpleTypeSanitizer { }
+
+private class ExternalUrlOpenSanitizer extends UrlOpenSanitizer {
+  ExternalUrlOpenSanitizer() { barrierNode(this, "request-forgery") }
+}
+
 /**
  * A unit class for adding additional taint steps.
  *

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -4,7 +4,6 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.HttpsUrls
-private import semmle.code.java.security.Sanitizers
 
 /**
  * A taint tracking configuration for HTTP connections.
@@ -18,7 +17,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof UrlOpenSanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
 }