Allow MaD sinks for go/request-forgery

Request forgery sinks which have `getRequest` different from the sink
itself cannot be modeled using models-as-data.

Author: owen-mc

go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll

@@ -8,6 +8,7 @@ import SafeUrlFlowCustomizations
 import semmle.go.dataflow.barrierguardutil.RedirectCheckBarrierGuard
 import semmle.go.dataflow.barrierguardutil.RegexpCheck
 import semmle.go.dataflow.barrierguardutil.UrlCheck
+import semmle.go.dataflow.ExternalFlow
 
 /** Provides classes and predicates for the request forgery query. */
 module RequestForgery {
@@ -42,6 +43,22 @@ module RequestForgery {
    */
   private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
 
+  private class DefaultRequestForgerySink extends Sink {
+    string kind;
+
+    DefaultRequestForgerySink() {
+      exists(string modelKind | sinkNode(this, modelKind) |
+        modelKind = "request-forgery" and kind = "URL"
+        or
+        modelKind = "request-forgery[" + kind + "]"
+      )
+    }
+
+    override DataFlow::Node getARequest() { result = this }
+
+    override string getKind() { result = kind }
+  }
+
   /**
    * The URL of an HTTP request, viewed as a sink for request forgery.
    */

shared/mad/codeql/mad/ModelValidation.qll

@@ -52,7 +52,9 @@ module KindValidation<KindValidationConfigSig Config> {
           // Java-only currently, but may be shared in the future
           "regex-use%",
           // Swift-only currently, but may be shared in the future
-          "%string-%length", "weak-hash-input-%"
+          "%string-%length", "weak-hash-input-%",
+          // Go-only currently, but may be shared in the future
+          "request-forgery%"
         ])
     }
   }