Allow MaD sanitizers for java/jexl-expression-injection

Author: owen-mc

java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll

@@ -16,6 +16,16 @@ private class DefaultJexlEvaluationSink extends JexlEvaluationSink {
   DefaultJexlEvaluationSink() { sinkNode(this, "jexl-injection") }
 }
 
+/**
+ * A sink for Expresssion Language injection vulnerabilities via Jexl,
+ * that is, method calls that run evaluation of a JEXL expression.
+ */
+abstract class JexlEvaluationSanitizer extends DataFlow::ExprNode { }
+
+private class ExternalJexlEvaluationSanitizer extends JexlEvaluationSanitizer {
+  ExternalJexlEvaluationSanitizer() { barrierNode(this, "jexl-injection") }
+}
+
 /**
  * A unit class for adding additional taint steps.
  *
@@ -48,6 +58,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof JexlEvaluationSanitizer }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }