Skip to content

Java: Enable BarrierGuard wrappers #20183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Java: Enable BarrierGuard wrappers #20183

wants to merge 6 commits into from

Conversation

aschackmull
Copy link
Contributor

This enables the Guards library wrapper guard integration with BarrierGuard such that data flow sanitizers make use of the full power of the Guards library including wrapped validation checks.

Some individual barriers had ad-hoc support for this, which can now be deleted as it becomes superfluous.

@aschackmull aschackmull requested a review from a team as a code owner August 7, 2025 13:47
@Copilot Copilot AI review requested due to automatic review settings August 7, 2025 13:47
@github-actions github-actions bot added the Java label Aug 7, 2025
Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables the Guards library wrapper guard integration with BarrierGuard in Java, allowing data flow sanitizers to leverage the full power of the Guards library including wrapped validation checks. This eliminates the need for ad-hoc support in individual barriers.

  • Adds support for SSA definition-based guard checking in the Guards library
  • Refactors BarrierGuard implementation to use wrapped validation checks with state
  • Removes custom validation method logic from path sanitizers and arithmetic guards

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
shared/controlflow/codeql/controlflow/Guards.qll Adds guardChecksDef predicate for SSA definition validation and removes deprecated boolean guard logic
java/ql/lib/semmle/code/java/security/PathSanitizer.qll Removes ValidationMethod module and simplifies sanitizer classes to use only BarrierGuard
java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll Refactors size guard predicates to work with expressions and updates guard checking to use BarrierGuard
java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll Updates BarrierGuard implementation to use wrapped validation with SSA definitions
java/ql/lib/semmle/code/java/controlflow/Guards.qll Removes deprecated implies_v3 predicate

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 8, 2025
View reviewed changes
@aschackmull
Copy link
Contributor Author

Fixed the kotlin qltest in two ways (either of the two added commits suffice to fix the test). Firstly, kotlin Throws annotations are now recognized - we definitely want that, as that's similar to the java throws clauses. Second, I've extended the cfg heuristic for adding exception edges, since guard wrappers may make use of unchecked exceptions, so if we see a call chain reaching something that may act as a guard wrapper then we add exception edges. Lets see if the latter in particular shows any effects in dca.

@aschackmull aschackmull force-pushed the java/barrierguard-wrappers branch from 1acee9d to 492a5ca Compare August 8, 2025 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aschackmull