Test more client request URL sinks

owen-mc · owen-mc · commit d437a096f106 · 2025-07-08T13:20:04.000+01:00
diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -2,11 +2,15 @@
 | RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value |
 | tst.go:14:2:14:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | The $@ of this request depends on a $@. | tst.go:14:11:14:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | tst.go:18:2:18:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | The $@ of this request depends on a $@. | tst.go:18:12:18:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:22:2:22:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | The $@ of this request depends on a $@. | tst.go:21:34:21:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:25:2:25:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | The $@ of this request depends on a $@. | tst.go:24:66:24:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:27:2:27:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | The $@ of this request depends on a $@. | tst.go:27:11:27:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:29:2:29:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | The $@ of this request depends on a $@. | tst.go:29:11:29:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
-| tst.go:37:2:37:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:37:11:37:20 | call to String | The $@ of this request depends on a $@. | tst.go:37:11:37:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:20:2:20:28 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | The $@ of this request depends on a $@. | tst.go:20:16:20:22 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:24:2:24:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | The $@ of this request depends on a $@. | tst.go:23:35:23:41 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:27:2:27:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | The $@ of this request depends on a $@. | tst.go:26:68:26:74 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:29:2:29:20 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | The $@ of this request depends on a $@. | tst.go:29:13:29:19 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:30:2:30:40 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | The $@ of this request depends on a $@. | tst.go:30:14:30:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:31:2:31:30 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:31:18:31:24 | tainted | The $@ of this request depends on a $@. | tst.go:31:18:31:24 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:33:2:33:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:29 | ...+... | The $@ of this request depends on a $@. | tst.go:33:11:33:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:35:2:35:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:35:11:35:40 | ...+... | The $@ of this request depends on a $@. | tst.go:35:11:35:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
+| tst.go:43:2:43:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:43:11:43:20 | call to String | The $@ of this request depends on a $@. | tst.go:43:11:43:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
 | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value |
 | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value |
 | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value |
@@ -20,21 +24,25 @@ edges
 | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | provenance | Src:MaD:1  |
-| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:17 | tainted | provenance | Src:MaD:1  |
-| tst.go:35:2:35:2 | definition of u [pointer] | tst.go:36:2:36:2 | u [pointer] | provenance |  |
-| tst.go:36:2:36:2 | implicit dereference | tst.go:35:2:35:2 | definition of u [pointer] | provenance |  |
-| tst.go:36:2:36:2 | implicit dereference | tst.go:36:2:36:2 | u | provenance |  |
-| tst.go:36:2:36:2 | implicit dereference | tst.go:37:11:37:11 | u | provenance |  |
-| tst.go:36:2:36:2 | u | tst.go:36:2:36:2 | implicit dereference | provenance |  |
-| tst.go:36:2:36:2 | u | tst.go:37:11:37:11 | u | provenance |  |
-| tst.go:36:2:36:2 | u [pointer] | tst.go:36:2:36:2 | implicit dereference | provenance |  |
-| tst.go:36:11:36:17 | tainted | tst.go:36:2:36:2 | u | provenance | Config |
-| tst.go:36:11:36:17 | tainted | tst.go:37:11:37:11 | u | provenance | Config |
-| tst.go:37:11:37:11 | u | tst.go:37:11:37:20 | call to String | provenance | MaD:3 |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:31:18:31:24 | tainted | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:29 | ...+... | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:35:11:35:40 | ...+... | provenance | Src:MaD:1  |
+| tst.go:10:13:10:35 | call to FormValue | tst.go:42:11:42:17 | tainted | provenance | Src:MaD:1  |
+| tst.go:41:2:41:2 | definition of u [pointer] | tst.go:42:2:42:2 | u [pointer] | provenance |  |
+| tst.go:42:2:42:2 | implicit dereference | tst.go:41:2:41:2 | definition of u [pointer] | provenance |  |
+| tst.go:42:2:42:2 | implicit dereference | tst.go:42:2:42:2 | u | provenance |  |
+| tst.go:42:2:42:2 | implicit dereference | tst.go:43:11:43:11 | u | provenance |  |
+| tst.go:42:2:42:2 | u | tst.go:42:2:42:2 | implicit dereference | provenance |  |
+| tst.go:42:2:42:2 | u | tst.go:43:11:43:11 | u | provenance |  |
+| tst.go:42:2:42:2 | u [pointer] | tst.go:42:2:42:2 | implicit dereference | provenance |  |
+| tst.go:42:11:42:17 | tainted | tst.go:42:2:42:2 | u | provenance | Config |
+| tst.go:42:11:42:17 | tainted | tst.go:43:11:43:11 | u | provenance | Config |
+| tst.go:43:11:43:11 | u | tst.go:43:11:43:20 | call to String | provenance | MaD:3 |
 | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2  |
 | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2  |
 | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2  |
@@ -54,17 +62,21 @@ nodes
 | tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue |
 | tst.go:14:11:14:17 | tainted | semmle.label | tainted |
 | tst.go:18:12:18:18 | tainted | semmle.label | tainted |
-| tst.go:21:34:21:40 | tainted | semmle.label | tainted |
-| tst.go:24:66:24:72 | tainted | semmle.label | tainted |
-| tst.go:27:11:27:29 | ...+... | semmle.label | ...+... |
-| tst.go:29:11:29:40 | ...+... | semmle.label | ...+... |
-| tst.go:35:2:35:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
-| tst.go:36:2:36:2 | implicit dereference | semmle.label | implicit dereference |
-| tst.go:36:2:36:2 | u | semmle.label | u |
-| tst.go:36:2:36:2 | u [pointer] | semmle.label | u [pointer] |
-| tst.go:36:11:36:17 | tainted | semmle.label | tainted |
-| tst.go:37:11:37:11 | u | semmle.label | u |
-| tst.go:37:11:37:20 | call to String | semmle.label | call to String |
+| tst.go:20:16:20:22 | tainted | semmle.label | tainted |
+| tst.go:23:35:23:41 | tainted | semmle.label | tainted |
+| tst.go:26:68:26:74 | tainted | semmle.label | tainted |
+| tst.go:29:13:29:19 | tainted | semmle.label | tainted |
+| tst.go:30:14:30:20 | tainted | semmle.label | tainted |
+| tst.go:31:18:31:24 | tainted | semmle.label | tainted |
+| tst.go:33:11:33:29 | ...+... | semmle.label | ...+... |
+| tst.go:35:11:35:40 | ...+... | semmle.label | ...+... |
+| tst.go:41:2:41:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
+| tst.go:42:2:42:2 | implicit dereference | semmle.label | implicit dereference |
+| tst.go:42:2:42:2 | u | semmle.label | u |
+| tst.go:42:2:42:2 | u [pointer] | semmle.label | u [pointer] |
+| tst.go:42:11:42:17 | tainted | semmle.label | tainted |
+| tst.go:43:11:43:11 | u | semmle.label | u |
+| tst.go:43:11:43:20 | call to String | semmle.label | call to String |
 | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer |
 | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput |
 | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer |
diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go
@@ -17,12 +17,18 @@ func handler2(w http.ResponseWriter, req *http.Request) {
 
 	http.Post(tainted, "text/basic", nil) // $ Alert
 
+	http.PostForm(tainted, nil) // $ Alert
+
 	client := &http.Client{}
-	rq, _ := http.NewRequest("GET", tainted, nil) // $ Sink
-	client.Do(rq)                                 // $ Alert
+	rq1, _ := http.NewRequest("GET", tainted, nil) // $ Sink
+	client.Do(rq1)                                 // $ Alert
+
+	rq2, _ := http.NewRequestWithContext(context.Background(), "GET", tainted, nil) // $ Sink
+	client.Do(rq2)                                                                  // $ Alert
 
-	rq, _ = http.NewRequestWithContext(context.Background(), "GET", tainted, nil) // $ Sink
-	client.Do(rq)                                                                 // $ Alert
+	client.Get(tainted)                     // $ Alert
+	client.Post(tainted, "text/basic", nil) // $ Alert
+	client.PostForm(tainted, nil)           // $ Alert
 
 	http.Get("http://" + tainted) // $ Alert
 
