microsoft
diff --git a/‎go/ql/lib/semmle/go/frameworks/GinCors.qll
Lines changed: 9 additions & 9 deletions b/‎go/ql/lib/semmle/go/frameworks/GinCors.qll
Lines changed: 9 additions & 9 deletions
diff --git a/‎go/ql/lib/semmle/go/frameworks/RsCors.qll
Lines changed: 162 additions & 135 deletions b/‎go/ql/lib/semmle/go/frameworks/RsCors.qll
Lines changed: 162 additions & 135 deletions
@@ -21,7 +21,7 @@ module GinCors {
   /**
    * A write to the value of Access-Control-Allow-Credentials header
    */
-  class AllowCredentialsWrite extends DataFlow::ExprNode {
+  class AllowCredentialsWrite extends UniversalAllowCredentialsWrite {
     DataFlow::Node base;
 
     AllowCredentialsWrite() {
@@ -35,12 +35,12 @@ module GinCors {
     /**
      * Get config struct holding header values
      */
-    DataFlow::Node getBase() { result = base }
+    override DataFlow::Node getBase() { result = base }
 
     /**
      * Get config variable holding header values
      */
-    GinConfig getConfig() {
+    override GinConfig getConfig() {
       exists(GinConfig gc |
         (
           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
@@ -55,7 +55,7 @@ module GinCors {
   /**
    * A write to the value of Access-Control-Allow-Origins header
    */
-  class AllowOriginsWrite extends DataFlow::ExprNode {
+  class AllowOriginsWrite extends UniversalOriginWrite {
     DataFlow::Node base;
 
     AllowOriginsWrite() {
@@ -69,12 +69,12 @@ module GinCors {
     /**
      * Get config struct holding header values
      */
-    DataFlow::Node getBase() { result = base }
+    override DataFlow::Node getBase() { result = base }
 
     /**
      * Get config variable holding header values
      */
-    GinConfig getConfig() {
+    override GinConfig getConfig() {
       exists(GinConfig gc |
         (
           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
@@ -89,7 +89,7 @@ module GinCors {
   /**
    * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
    */
-  class AllowAllOriginsWrite extends DataFlow::ExprNode {
+  class AllowAllOriginsWrite extends UniversalAllowAllOriginsWrite {
     DataFlow::Node base;
 
     AllowAllOriginsWrite() {
@@ -103,12 +103,12 @@ module GinCors {
     /**
      * Get config struct holding header values
      */
-    DataFlow::Node getBase() { result = base }
+    override DataFlow::Node getBase() { result = base }
 
     /**
      * Get config variable holding header values
      */
-    GinConfig getConfig() {
+    override GinConfig getConfig() {
       exists(GinConfig gc |
         (
           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
 
@@ -2,138 +2,165 @@
  * Provides classes for modeling the `github.com/rs/cors` package.
  */
 
- import go
-
- /**
-  * Provides classes for modeling the `github.com/rs/cors` package.
-  */
- module RsCors {
-   /** Gets the package name `github.com/gin-gonic/gin`. */
-   string packagePath() { result = package("github.com/rs/cors", "") }
- 
-   /**
-    * A new function create a new gin Handler that passed to gin as middleware
-    */
-   class New extends Function {
-     New() { exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f) }
-   }
- 
-   /**
-    * A write to the value of Access-Control-Allow-Credentials header
-    */
-   class AllowCredentialsWrite extends DataFlow::ExprNode {
-     DataFlow::Node base;
- 
-     AllowCredentialsWrite() {
-       exists(Field f, Write w |
-         f.hasQualifiedName(packagePath(), "Options", "AllowCredentials") and
-         w.writesField(base, f, this) and
-         this.getType() instanceof BoolType
-       )
-     }
- 
-     /**
-      * Get config struct holding header values
-      */
-     DataFlow::Node getBase() { result = base }
- 
-     /**
-      * Get config variable holding header values
-      */
-     RsOptions getConfig() {
-       exists(RsOptions gc |
-         (
-           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
-             base.asInstruction() or
-           gc.getV().getAUse() = base
-         ) and
-         result = gc
-       )
-     }
-   }
- 
-   /**
-    * A write to the value of Access-Control-Allow-Origins header
-    */
-   class AllowOriginsWrite extends DataFlow::ExprNode {
-     DataFlow::Node base;
- 
-     AllowOriginsWrite() {
-       exists(Field f, Write w |
-         f.hasQualifiedName(packagePath(), "Options", "AllowedOrigins") and
-         w.writesField(base, f, this) and
-         this.asExpr() instanceof SliceLit
-       )
-     }
- 
-     /**
-      * Get config struct holding header values
-      */
-     DataFlow::Node getBase() { result = base }
- 
-     /**
-      * Get config variable holding header values
-      */
-     RsOptions getConfig() {
-       exists(RsOptions gc |
-         (
-           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
-             base.asInstruction() or
-           gc.getV().getAUse() = base
-         ) and
-         result = gc
-       )
-     }
-   }
- 
-   /**
-    * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
-    */
-   class AllowAllOriginsWrite extends DataFlow::ExprNode {
-     DataFlow::Node base;
- 
-     AllowAllOriginsWrite() {
-       exists(Field f, Write w |
-         f.hasQualifiedName(packagePath(), "Options", "AllowAllOrigins") and
-         w.writesField(base, f, this) and
-         this.getType() instanceof BoolType
-       )
-     }
- 
-     /**
-      * Get config struct holding header values
-      */
-     DataFlow::Node getBase() { result = base }
- 
-     /**
-      * Get config variable holding header values
-      */
-     RsOptions getConfig() {
-       exists(RsOptions gc |
-         (
-           gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
-             base.asInstruction() or
-           gc.getV().getAUse() = base
-         ) and
-         result = gc
-       )
-     }
-   }
- 
-   /**
-    * A variable of type Config that holds the headers to be set.
-    */
-   class RsOptions extends Variable {
-     SsaWithFields v;
- 
-     RsOptions() {
-       this = v.getBaseVariable().getSourceVariable() and
-       exists(Type t | t.hasQualifiedName(packagePath(), "Options") | v.getType() = t)
-     }
- 
-     /**
-      * Get variable declaration of GinConfig
-      */
-     SsaWithFields getV() { result = v }
-   }
- }
+import go
+
+/**
+ * Provides abstract class for modeling the Go CORS handler model origin write.
+ */
+abstract class UniversalOriginWrite extends DataFlow::ExprNode {
+  abstract DataFlow::Node getBase();
+
+  abstract Variable getConfig();
+}
+
+/**
+ * Provides abstract class for modeling the Go CORS handler model allow all origins write.
+ */
+abstract class UniversalAllowAllOriginsWrite extends DataFlow::ExprNode {
+  abstract DataFlow::Node getBase();
+
+  abstract Variable getConfig();
+}
+
+/**
+ * Provides abstract class for modeling the Go CORS handler model allow credentials write.
+ */
+abstract class UniversalAllowCredentialsWrite extends DataFlow::ExprNode {
+  abstract DataFlow::Node getBase();
+
+  abstract Variable getConfig();
+}
+
+/**
+ * Provides classes for modeling the `github.com/rs/cors` package.
+ */
+module RsCors {
+  /** Gets the package name `github.com/gin-gonic/gin`. */
+  string packagePath() { result = package("github.com/rs/cors", "") }
+
+  /**
+   * A new function create a new rs Handler
+   */
+  class New extends Function {
+    New() { exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f) }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Credentials header
+   */
+  class AllowCredentialsWrite extends UniversalAllowCredentialsWrite {
+    DataFlow::Node base;
+
+    AllowCredentialsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Options", "AllowCredentials") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get options struct holding header values
+     */
+    override DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get options variable holding header values
+     */
+    override RsOptions getConfig() {
+      exists(RsOptions gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins header
+   */
+  class AllowOriginsWrite extends UniversalOriginWrite {
+    DataFlow::Node base;
+
+    AllowOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Options", "AllowedOrigins") and
+        w.writesField(base, f, this) and
+        this.asExpr() instanceof SliceLit
+      )
+    }
+
+    /**
+     * Get options struct holding header values
+     */
+    override DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get options variable holding header values
+     */
+    override RsOptions getConfig() {
+      exists(RsOptions gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
+   */
+  class AllowAllOriginsWrite extends UniversalAllowAllOriginsWrite {
+    DataFlow::Node base;
+
+    AllowAllOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Options", "AllowAllOrigins") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get options struct holding header values
+     */
+    override DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get options variable holding header values
+     */
+    override RsOptions getConfig() {
+      exists(RsOptions gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A variable of type Options that holds the headers to be set.
+   */
+  class RsOptions extends Variable {
+    SsaWithFields v;
+
+    RsOptions() {
+      this = v.getBaseVariable().getSourceVariable() and
+      exists(Type t | t.hasQualifiedName(packagePath(), "Options") | v.getType() = t)
+    }
+
+    /**
+     * Get variable declaration of Options
+     */
+    SsaWithFields getV() { result = v }
+  }
+}