Improve additional flow step for Host field

owen-mc · owen-mc · commit 2629369c9358 · 2025-10-01T16:18:05.000+01:00
diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -27,9 +27,8 @@ module RequestForgery {
 
     predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
       // propagate to a URL when its host is assigned to
-      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
-        w.writesFieldPreUpdate(v.getAUse(), f, pred) and
-        succ = v.getAUse()
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(succ, f, pred)
       )
     }
 
diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -37,9 +37,10 @@ edges
 | tst.go:10:13:10:35 | call to FormValue | tst.go:38:11:38:29 | ...+... | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:40 | ...+... | provenance | Src:MaD:1  |
 | tst.go:10:13:10:35 | call to FormValue | tst.go:47:11:47:18 | tainted2 | provenance | Src:MaD:1  |
-| tst.go:47:2:47:2 | u | tst.go:48:11:48:11 | u | provenance |  |
-| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u | provenance | Config |
-| tst.go:47:11:47:18 | tainted2 | tst.go:48:11:48:11 | u | provenance | Config |
+| tst.go:47:2:47:2 | implicit dereference [postupdate] | tst.go:47:2:47:2 | u [postupdate] | provenance |  |
+| tst.go:47:2:47:2 | u [postupdate] | tst.go:48:11:48:11 | u | provenance |  |
+| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | implicit dereference [postupdate] | provenance | Config |
+| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u [postupdate] | provenance | Config |
 | tst.go:48:11:48:11 | u | tst.go:48:11:48:20 | call to String | provenance | MaD:3 |
 | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2  |
 | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2  |
@@ -70,7 +71,8 @@ nodes
 | tst.go:36:18:36:24 | tainted | semmle.label | tainted |
 | tst.go:38:11:38:29 | ...+... | semmle.label | ...+... |
 | tst.go:40:11:40:40 | ...+... | semmle.label | ...+... |
-| tst.go:47:2:47:2 | u | semmle.label | u |
+| tst.go:47:2:47:2 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
+| tst.go:47:2:47:2 | u [postupdate] | semmle.label | u [postupdate] |
 | tst.go:47:11:47:18 | tainted2 | semmle.label | tainted2 |
 | tst.go:48:11:48:11 | u | semmle.label | u |
 | tst.go:48:11:48:20 | call to String | semmle.label | call to String |

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,8 @@ module RequestForgery {`
`27`	`27`
`28`	`28`	`predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {`
`29`	`29`	`// propagate to a URL when its host is assigned to`
`30`		`- exists(Write w, Field f, SsaWithFields v \| f.hasQualifiedName("net/url", "URL", "Host") \|`
`31`		`- w.writesFieldPreUpdate(v.getAUse(), f, pred) and`
`32`		`- succ = v.getAUse()`
	`30`	`+ exists(Write w, Field f \| f.hasQualifiedName("net/url", "URL", "Host") \|`
	`31`	`+ w.writesField(succ, f, pred)`
`33`	`32`	`)`
`34`	`33`	`}`
`35`	`34`