Allow query-specific MaD barriers

This was implemented by Gemini 3 using the following prompt.

In the commit with the hash 10c5a47 the go language library was updated. I want you to do the same for the java language library. Here are the steps to follow:
- Find all .ql files in the java folder which are not in java/ql/src/experimental which contain the string "@kind path-problem".
- Note the query id, as specified by the "@id" metadata at the top of the .ql file. It should have this format: "java/sql-injection".
- These are path queries, so the second and third arguments in the select statement should have type "XFlow::PathNode"s for some module "XFlow" that is defined as something like "TaintTracking::Global<XFlowConfig>". Find the definition of the data flow config ("XFlowConfig" in my example code), which should be a module which implements `DataFlow::ConfigSig`.
- If the module does not already define it, add a predicate like the following:
`predicate isBarrier(DataFlow::Node node) { barrierNode(node, "Z") }` where "Z" should be the query id from earlier.
- If the module already defines that predicate, add `or barrierNode(node, "Z")` to the end of the predicate body, where "Z" should be the query id.

Author: owen-mc

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -4,14 +4,18 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.AndroidIntentRedirection
+import semmle.code.java.dataflow.ExternalFlow
 
 /** A taint tracking configuration for tainted Intents being used to start Android components. */
 module IntentRedirectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof IntentRedirectionSanitizer }
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof IntentRedirectionSanitizer or
+    barrierNode(sanitizer, "java/android/intent-redirection")
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.security.SensitiveActions
 private import semmle.code.java.dataflow.FlowSinks
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
@@ -144,7 +145,10 @@ module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
   /**
    * Holds if broadcast doesn't specify receiving package name of the 3rd party app
    */
-  predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof ExplicitIntentSanitizer or
+    barrierNode(node, "java/android/sensitive-communication")
+  }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
     isSink(node) and exists(c)

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.ArbitraryApkInstallation
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A dataflow configuration for flow from an external source of an APK to the
@@ -24,6 +25,10 @@ module ApkInstallationConfig implements DataFlow::ConfigSig {
     )
   }
 
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/android/arbitrary-apk-installation")
+  }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -3,14 +3,18 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
+import semmle.code.java.dataflow.ExternalFlow
 
 /** A taint-tracking configuration to reason about overflow from unvalidated input. */
 module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/tainted-arithmetic")
+  }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
@@ -34,6 +38,9 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
 module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
+    underflowBarrier(n) or
+    barrierNode(n, "java/tainted-arithmetic")
+
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
   predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }

java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll

@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.RandomQuery
 private import semmle.code.java.security.SecurityTests
 private import semmle.code.java.security.ArithmeticCommon
+import semmle.code.java.dataflow.ExternalFlow
 
 private class TaintSource extends DataFlow::ExprNode {
   TaintSource() {
@@ -18,7 +19,10 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/uncontrolled-arithmetic")
+  }
 
   predicate observeDiffInformedIncrementalMode() {
     any() // merged with ArithmeticUncontrolledUnderflow in ArithmeticUncontrolled.ql
@@ -39,6 +43,9 @@ module ArithmeticUncontrolledOverflowFlow =
 module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof TaintSource }
 
+    underflowBarrier(n) or
+    barrierNode(n, "java/uncontrolled-arithmetic")
+
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
   predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }

java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll

@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.security.ArithmeticCommon
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A field representing an extreme value.
@@ -38,7 +39,10 @@ module MaxValueFlowConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
 
-  predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+  predicate isBarrier(DataFlow::Node n) {
+    overflowBarrier(n) or
+    barrierNode(n, "java/extreme-value-arithmetic")
+  }
 }
 
 /** Dataflow from maximum values to an underflow. */
@@ -52,6 +56,9 @@ module MinValueFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
+    underflowBarrier(n) or
+    barrierNode(n, "java/extreme-value-arithmetic")
+
   predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
 
   predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.Sanitizers
+import semmle.code.java.dataflow.ExternalFlow
 
 private class ShortStringLiteral extends StringLiteral {
   ShortStringLiteral() { this.getValue().length() < 100 }
@@ -31,7 +32,10 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    barrierNode(node, "java/weak-cryptographic-algorithm")
+  }
 
   predicate observeDiffInformedIncrementalMode() { any() }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -53,7 +53,10 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof CommandInjectionSanitizer or
+    barrierNode(node, "java/command-line-injection")
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

@@ -7,6 +7,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.controlflow.Guards
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Holds if `ma` is controlled by the condition expression `e`.
@@ -44,6 +45,8 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
 
+  predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/user-controlled-bypass") }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     endsWithStep(node1, node2)
   }

java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll

@@ -153,6 +153,10 @@ private module SqlExecuteConfig implements DataFlow::ConfigSig {
       m.hasName("execute")
     )
   }
+
+  predicate isBarrier(DataFlow::Node node) {
+    barrierNode(node, "java/csrf-unprotected-request-type")
+  }
 }
 
 /**