Accept MaD sanitizers for existing sink kinds

Author: owen-mc

java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll

@@ -35,6 +35,11 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
   DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }
 
+/** External sanitizers for Intent redirection vulnerabilities. */
+private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
+  ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") }
+}
+
 /**
  * A default sanitizer for `Intent` nodes dominated by calls to `ComponentName.getPackageName`
  * and `ComponentName.getClassName`. These are used to check whether the origin or destination

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -37,6 +37,10 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
   DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }
 
+private class ExternalCommandInjectionSanitizer extends CommandInjectionSanitizer {
+  ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") }
+}
+
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
   DefaultCommandInjectionSanitizer() {
     this instanceof SimpleTypeSanitizer

java/ql/lib/semmle/code/java/security/FragmentInjection.qll

@@ -49,6 +49,15 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
   DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
 }
 
+/**
+ * A barrier for Fragment injection vulnerabilities.
+ */
+abstract class FragmentInjectionSanitizer extends DataFlow::Node { }
+
+private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer {
+  ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") }
+}
+
 private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep
 {
   override predicate step(DataFlow::Node n1, DataFlow::Node n2) {

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -14,6 +14,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof FragmentInjectionSanitizer }
+
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }

java/ql/lib/semmle/code/java/security/GroovyInjection.qll

@@ -26,6 +26,13 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
   DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") }
 }
 
+/** A data flow sanitizer for Groovy expression injection vulnerabilities. */
+abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { }
+
+private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer {
+  ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") }
+}
+
 /** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
 private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {