Apply suggestions from code review

Kwstubbs · owen-mc · web-flow · commit a94ba25ebe51 · 2024-11-13T14:45:45.000-08:00
Co-authored-by: Owen Mansel-Chan &lt;62447351+owen-mc@users.noreply.github.com&gt;
diff --git a/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md b/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers.
+* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called).
diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go
@@ -1,4 +1,3 @@
-// GOOD: Sanitized by Gorilla's cleaner
 package main
 
 import (
@@ -9,6 +8,7 @@ import (
 	"github.com/gorilla/mux"
 )
 
+// GOOD: Sanitized by Gorilla's cleaner
 func GorillaHandler(w http.ResponseWriter, r *http.Request) {
 	not_tainted_path := mux.Vars(r)["id"]
 	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))
diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go
@@ -1,4 +1,3 @@
-// GOOD: Sanitized by Gorilla's cleaner
 package main
 
 import (
@@ -9,6 +8,7 @@ import (
 	"github.com/gorilla/mux"
 )
 
+// BAD: Gorilla's `Vars` is not a sanitizer as `Router.SkipClean` has been called
 func GorillaHandler(w http.ResponseWriter, r *http.Request) {
 	not_tainted_path := mux.Vars(r)["id"]
 	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))
