Java: allow MaD barriers

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -4,14 +4,18 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.AndroidIntentRedirection
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A taint tracking configuration for tainted Intents being used to start Android components. */
 module IntentRedirectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof IntentRedirectionSanitizer }
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof IntentRedirectionSanitizer or
+    barrierNode(sanitizer, "java/android/intent-redirection")
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -4,6 +4,7 @@
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.security.SensitiveActions
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSinks
 
 /**
@@ -144,7 +145,10 @@
   /**
    * Holds if broadcast doesn't specify receiving package name of the 3rd party app
    */
-  predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof ExplicitIntentSanitizer or
+    barrierNode(node, "java/android/sensitive-communication")
+  }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
     isSink(node) and exists(c)

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.ArbitraryApkInstallation
 
 /**
@@ -24,6 +25,10 @@ module ApkInstallationConfig implements DataFlow::ConfigSig {
     )
   }
 
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/android/arbitrary-apk-installation")
+  }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -1,6 +1,7 @@
 /** Provides taint-tracking configurations to reason about arithmetic with unvalidated input. */
 
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
 
@@ -10,7 +11,10 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/tainted-arithmetic")
+  }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
@@ -36,7 +40,10 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    underflowBarrier(n) or
+    barrierNode(n, "java/tainted-arithmetic")
+  }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 

java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll

@@ -1,6 +1,7 @@
 /** Provides taint-tracking configuration to reason about arithmetic with uncontrolled values. */
 
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.RandomQuery
 private import semmle.code.java.security.SecurityTests
@@ -18,7 +19,10 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/uncontrolled-arithmetic")
+  }
 
   predicate observeDiffInformedIncrementalMode() {
     any() // merged with ArithmeticUncontrolledUnderflow in ArithmeticUncontrolled.ql
@@ -41,7 +45,10 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    underflowBarrier(n) or
+    barrierNode(n, "java/uncontrolled-arithmetic")
+  }
 
   predicate observeDiffInformedIncrementalMode() {
     any() // merged with ArithmeticUncontrolledOverflow in ArithmeticUncontrolled.ql

java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll

@@ -1,6 +1,7 @@
 /** Provides predicates and classes for reasoning about arithmetic with extreme values. */
 
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.security.ArithmeticCommon
 
@@ -38,7 +39,10 @@ module MaxValueFlowConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/extreme-value-arithmetic")
+  }
 }
 
 /** Dataflow from maximum values to an underflow. */
@@ -54,7 +58,10 @@ module MinValueFlowConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
 
-  predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    underflowBarrier(n) or
+    barrierNode(n, "java/extreme-value-arithmetic")
+  }
 }
 
 /** Dataflow from minimum values to an underflow. */

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -2,6 +2,7 @@
 
 import java
 private import semmle.code.java.security.Encryption
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.Sanitizers
 
@@ -31,7 +32,10 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    barrierNode(node, "java/weak-cryptographic-algorithm")
+  }
 
   predicate observeDiffInformedIncrementalMode() { any() }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -53,7 +53,10 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof CommandInjectionSanitizer or
+    barrierNode(node, "java/command-line-injection")
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

@@ -7,6 +7,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Holds if `ma` is controlled by the condition expression `e`.
@@ -44,6 +45,8 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/user-controlled-bypass") }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     endsWithStep(node1, node2)
   }

java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll

@@ -153,6 +153,10 @@ private module SqlExecuteConfig implements DataFlow::ConfigSig {
       m.hasName("execute")
     )
   }
+
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/csrf-unprotected-request-type")
+  }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ExternalAPIs.qll

@@ -8,6 +8,7 @@ module;
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A `Method` that is considered a "safe" external API from a security perspective.
@@ -102,6 +103,10 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/untrusted-data-to-external-api")
+  }
+
   predicate observeDiffInformedIncrementalMode() {
     any() // Simple use in UntrustedDataToExternalAPI.ql; also used through ExternalApiUsedWithUntrustedData in ExternalAPIsUsedWithUntrustedData.ql
   }

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

@@ -1,6 +1,7 @@
 /** Provides a taint-tracking configuration to reason about externally controlled format string vulnerabilities. */
 
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSinks
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.StringFormat
@@ -21,7 +22,9 @@
   predicate isSink(DataFlow::Node sink) { sink instanceof StringFormatSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof NumericType or node.getType() instanceof BooleanType
+    node.getType() instanceof NumericType or
+    node.getType() instanceof BooleanType or
+    barrierNode(node, "java/tainted-format-string")
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.FragmentInjection
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -14,6 +15,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/android/fragment-injection") }
+
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }

java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -4,6 +4,7 @@
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.GroovyInjection
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -14,6 +15,8 @@
 
   predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/groovy-injection") }
+
   predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
   }

java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll

@@ -5,6 +5,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import HardcodedCredentials
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
@@ -47,7 +48,8 @@ module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node n) {
-    n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv
+    n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv or
+    barrierNode(n, "java/hardcoded-credential-api-call")
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll

@@ -5,6 +5,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import HardcodedCredentials
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
@@ -15,6 +16,10 @@ module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
 
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/hardcoded-credential-sensitive-call")
+  }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.HttpsUrls
 private import semmle.code.java.security.Sanitizers
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint tracking configuration for HTTP connections.
@@ -18,7 +19,10 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    barrierNode(node, "java/non-https-url")
+  }
 
   predicate observeDiffInformedIncrementalMode() { any() }
 }

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -7,6 +7,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.android.PendingIntent
 import semmle.code.java.security.ImplicitPendingIntents
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint tracking configuration for implicit `PendingIntent`s
@@ -23,7 +24,10 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
     sink instanceof ImplicitPendingIntentSink and state instanceof MutablePendingIntent
   }
 
-  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer }
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof ExplicitIntentSanitizer or
+    barrierNode(sanitizer, "java/android/implicit-pendingintents")
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.security.internal.ArraySizing
 private import semmle.code.java.security.internal.BoundingChecks
 private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A dataflow configuration to reason about improper validation of code-specified array index.
@@ -15,6 +16,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
     exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
   }
 
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/improper-validation-of-array-index-code-specified")
+  }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }