Add net/http.Head and net/http.Client.Head as client requests

owen-mc · owen-mc · commit 990043ce8686 · 2025-07-08T14:31:48.000+01:00
They were previously deliberately excluded.
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -183,7 +183,7 @@ module NetHttp {
         or
         this.getTarget().(Method).hasQualifiedName("net/http", "Client", functionName)
       |
-        functionName = ["Get", "Post", "PostForm"]
+        functionName = ["Get", "Head", "Post", "PostForm"]
       )
     }
 
diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -1,16 +1,18 @@
 #select
 | RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value |
 | tst.go:14:2:14:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | The $@ of this request depends on a $@. | tst.go:14:11:14:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:16:2:16:19 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:16:12:16:18 | tainted | The $@ of this request depends on a $@. | tst.go:16:12:16:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:18:2:18:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | The $@ of this request depends on a $@. | tst.go:18:12:18:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:20:2:20:28 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | The $@ of this request depends on a $@. | tst.go:20:16:20:22 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:24:2:24:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | The $@ of this request depends on a $@. | tst.go:23:35:23:41 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:27:2:27:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | The $@ of this request depends on a $@. | tst.go:26:68:26:74 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:29:2:29:20 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | The $@ of this request depends on a $@. | tst.go:29:13:29:19 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:30:2:30:40 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | The $@ of this request depends on a $@. | tst.go:30:14:30:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:31:2:31:30 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:31:18:31:24 | tainted | The $@ of this request depends on a $@. | tst.go:31:18:31:24 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:33:2:33:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:29 | ...+... | The $@ of this request depends on a $@. | tst.go:33:11:33:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:35:2:35:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:35:11:35:40 | ...+... | The $@ of this request depends on a $@. | tst.go:35:11:35:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:43:2:43:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:43:11:43:20 | call to String | The $@ of this request depends on a $@. | tst.go:43:11:43:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:30:2:30:21 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | The $@ of this request depends on a $@. | tst.go:30:14:30:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:31:2:31:40 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:31:14:31:20 | tainted | The $@ of this request depends on a $@. | tst.go:31:14:31:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:32:2:32:30 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:32:18:32:24 | tainted | The $@ of this request depends on a $@. | tst.go:32:18:32:24 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:34:2:34:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:34:11:34:29 | ...+... | The $@ of this request depends on a $@. | tst.go:34:11:34:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:36:2:36:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:40 | ...+... | The $@ of this request depends on a $@. | tst.go:36:11:36:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:44:2:44:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:44:11:44:20 | call to String | The $@ of this request depends on a $@. | tst.go:44:11:44:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value |
 | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value |
 | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value |
@@ -23,26 +25,28 @@
 edges
 | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:16:12:16:18 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:31:18:31:24 | tainted | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:29 | ...+... | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:35:11:35:40 | ...+... | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:42:11:42:17 | tainted | provenance | Src:MaD:1  |
-| tst.go:41:2:41:2 | definition of u [pointer] | tst.go:42:2:42:2 | u [pointer] | provenance |  |
-| tst.go:42:2:42:2 | implicit dereference | tst.go:41:2:41:2 | definition of u [pointer] | provenance |  |
-| tst.go:42:2:42:2 | implicit dereference | tst.go:42:2:42:2 | u | provenance |  |
-| tst.go:42:2:42:2 | implicit dereference | tst.go:43:11:43:11 | u | provenance |  |
-| tst.go:42:2:42:2 | u | tst.go:42:2:42:2 | implicit dereference | provenance |  |
-| tst.go:42:2:42:2 | u | tst.go:43:11:43:11 | u | provenance |  |
-| tst.go:42:2:42:2 | u [pointer] | tst.go:42:2:42:2 | implicit dereference | provenance |  |
-| tst.go:42:11:42:17 | tainted | tst.go:42:2:42:2 | u | provenance | Config |
-| tst.go:42:11:42:17 | tainted | tst.go:43:11:43:11 | u | provenance | Config |
-| tst.go:43:11:43:11 | u | tst.go:43:11:43:20 | call to String | provenance | MaD:3 |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:31:14:31:20 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:32:18:32:24 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:34:11:34:29 | ...+... | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:40 | ...+... | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:43:11:43:17 | tainted | provenance | Src:MaD:1  |
+| tst.go:42:2:42:2 | definition of u [pointer] | tst.go:43:2:43:2 | u [pointer] | provenance |  |
+| tst.go:43:2:43:2 | implicit dereference | tst.go:42:2:42:2 | definition of u [pointer] | provenance |  |
+| tst.go:43:2:43:2 | implicit dereference | tst.go:43:2:43:2 | u | provenance |  |
+| tst.go:43:2:43:2 | implicit dereference | tst.go:44:11:44:11 | u | provenance |  |
+| tst.go:43:2:43:2 | u | tst.go:43:2:43:2 | implicit dereference | provenance |  |
+| tst.go:43:2:43:2 | u | tst.go:44:11:44:11 | u | provenance |  |
+| tst.go:43:2:43:2 | u [pointer] | tst.go:43:2:43:2 | implicit dereference | provenance |  |
+| tst.go:43:11:43:17 | tainted | tst.go:43:2:43:2 | u | provenance | Config |
+| tst.go:43:11:43:17 | tainted | tst.go:44:11:44:11 | u | provenance | Config |
+| tst.go:44:11:44:11 | u | tst.go:44:11:44:20 | call to String | provenance | MaD:3 |
 | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2  |
 | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2  |
 | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2  |
@@ -61,22 +65,24 @@ nodes
 | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... |
 | tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue |
 | tst.go:14:11:14:17 | tainted | semmle.label | tainted |
+| tst.go:16:12:16:18 | tainted | semmle.label | tainted |
 | tst.go:18:12:18:18 | tainted | semmle.label | tainted |
 | tst.go:20:16:20:22 | tainted | semmle.label | tainted |
 | tst.go:23:35:23:41 | tainted | semmle.label | tainted |
 | tst.go:26:68:26:74 | tainted | semmle.label | tainted |
 | tst.go:29:13:29:19 | tainted | semmle.label | tainted |
 | tst.go:30:14:30:20 | tainted | semmle.label | tainted |
-| tst.go:31:18:31:24 | tainted | semmle.label | tainted |
-| tst.go:33:11:33:29 | ...+... | semmle.label | ...+... |
-| tst.go:35:11:35:40 | ...+... | semmle.label | ...+... |
-| tst.go:41:2:41:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
-| tst.go:42:2:42:2 | implicit dereference | semmle.label | implicit dereference |
-| tst.go:42:2:42:2 | u | semmle.label | u |
-| tst.go:42:2:42:2 | u [pointer] | semmle.label | u [pointer] |
-| tst.go:42:11:42:17 | tainted | semmle.label | tainted |
-| tst.go:43:11:43:11 | u | semmle.label | u |
-| tst.go:43:11:43:20 | call to String | semmle.label | call to String |
+| tst.go:31:14:31:20 | tainted | semmle.label | tainted |
+| tst.go:32:18:32:24 | tainted | semmle.label | tainted |
+| tst.go:34:11:34:29 | ...+... | semmle.label | ...+... |
+| tst.go:36:11:36:40 | ...+... | semmle.label | ...+... |
+| tst.go:42:2:42:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
+| tst.go:43:2:43:2 | implicit dereference | semmle.label | implicit dereference |
+| tst.go:43:2:43:2 | u | semmle.label | u |
+| tst.go:43:2:43:2 | u [pointer] | semmle.label | u [pointer] |
+| tst.go:43:11:43:17 | tainted | semmle.label | tainted |
+| tst.go:44:11:44:11 | u | semmle.label | u |
+| tst.go:44:11:44:20 | call to String | semmle.label | call to String |
 | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer |
 | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput |
 | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer |
diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go
@@ -13,7 +13,7 @@ func handler2(w http.ResponseWriter, req *http.Request) {
 
 	http.Get(tainted) // $ Alert
 
-	http.Head(tainted) // OK
+	http.Head(tainted) // $ Alert
 
 	http.Post(tainted, "text/basic", nil) // $ Alert
 
@@ -27,6 +27,7 @@ func handler2(w http.ResponseWriter, req *http.Request) {
 	client.Do(rq2)                                                                  // $ Alert
 
 	client.Get(tainted)                     // $ Alert
+	client.Head(tainted)                    // $ Alert
 	client.Post(tainted, "text/basic", nil) // $ Alert
 	client.PostForm(tainted, nil)           // $ Alert
 

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ module NetHttp {`
`183`	`183`	`or`
`184`	`184`	`this.getTarget().(Method).hasQualifiedName("net/http", "Client", functionName)`
`185`	`185`	`\|`
`186`		`- functionName = ["Get", "Post", "PostForm"]`
	`186`	`+ functionName = ["Get", "Head", "Post", "PostForm"]`
`187`	`187`	`)`
`188`	`188`	`}`
`189`	`189`