Make SafeUrlFlow test more comprehensive (failing)

owen-mc · owen-mc · commit 095881ee1745 · 2025-10-01T12:05:00.000+01:00
diff --git a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected
@@ -16,17 +16,19 @@
 | SafeUrlFlow.go:71:39:71:54 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:71:39:71:54 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
 | SafeUrlFlow.go:75:70:75:85 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:75:70:75:85 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
 | SafeUrlFlow.go:79:40:79:55 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:79:40:79:55 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
-| SafeUrlFlow.go:90:24:90:41 | call to String | SafeUrlFlow.go:85:10:85:17 | selection of Host | SafeUrlFlow.go:90:24:90:41 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:85:10:85:17 | selection of Host | here |
-| SafeUrlFlow.go:111:11:111:23 | reconstructed | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:111:11:111:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
-| SafeUrlFlow.go:114:24:114:46 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:114:24:114:46 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
-| SafeUrlFlow.go:115:29:115:54 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:115:29:115:54 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
-| SafeUrlFlow.go:116:12:116:38 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:116:12:116:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
-| SafeUrlFlow.go:117:12:117:21 | opaquePart | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:117:12:117:21 | opaquePart | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
+| SafeUrlFlow.go:93:11:93:28 | call to String | SafeUrlFlow.go:85:10:85:17 | selection of Host | SafeUrlFlow.go:93:11:93:28 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:85:10:85:17 | selection of Host | here |
+| SafeUrlFlow.go:107:11:107:23 | reconstructed | SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:107:11:107:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:97:13:97:19 | selection of URL | here |
+| SafeUrlFlow.go:110:24:110:46 | ...+... | SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:110:24:110:46 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:97:13:97:19 | selection of URL | here |
+| SafeUrlFlow.go:111:29:111:54 | ...+... | SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:111:29:111:54 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:97:13:97:19 | selection of URL | here |
+| SafeUrlFlow.go:112:12:112:38 | ...+... | SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:112:12:112:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:97:13:97:19 | selection of URL | here |
+| SafeUrlFlow.go:113:12:113:21 | opaquePart | SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:113:12:113:21 | opaquePart | A safe URL flows here from $@. | SafeUrlFlow.go:97:13:97:19 | selection of URL | here |
 edges
 | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:11:24:11:46 | ...+... | provenance | Sink:MaD:1 |
 | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:17:19:17:22 | host | provenance |  |
 | SafeUrlFlow.go:13:13:13:19 | selection of URL | SafeUrlFlow.go:14:29:14:35 | baseURL | provenance | Src:MaD:2  |
 | SafeUrlFlow.go:14:29:14:35 | baseURL | SafeUrlFlow.go:14:29:14:44 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:17:2:17:10 | targetURL | SafeUrlFlow.go:18:11:18:19 | targetURL | provenance |  |
+| SafeUrlFlow.go:17:19:17:22 | host | SafeUrlFlow.go:17:2:17:10 | targetURL | provenance | Config |
 | SafeUrlFlow.go:17:19:17:22 | host | SafeUrlFlow.go:18:11:18:19 | targetURL | provenance | Config |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | SafeUrlFlow.go:18:11:18:28 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:47:24:47:57 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
@@ -55,13 +57,15 @@ edges
 | SafeUrlFlow.go:75:70:75:76 | baseURL | SafeUrlFlow.go:75:70:75:85 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:79:40:79:46 | baseURL | SafeUrlFlow.go:79:40:79:55 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:85:10:85:17 | selection of Host | SafeUrlFlow.go:88:19:88:22 | host | provenance |  |
-| SafeUrlFlow.go:88:19:88:22 | host | SafeUrlFlow.go:90:24:90:32 | targetURL | provenance | Config |
-| SafeUrlFlow.go:90:24:90:32 | targetURL | SafeUrlFlow.go:90:24:90:41 | call to String | provenance | MaD:3 Sink:MaD:1 |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:111:11:111:23 | reconstructed | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:114:24:114:46 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:115:29:115:54 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:116:12:116:38 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:117:12:117:21 | opaquePart | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:88:19:88:22 | host | SafeUrlFlow.go:92:2:92:10 | targetURL | provenance | Config |
+| SafeUrlFlow.go:88:19:88:22 | host | SafeUrlFlow.go:93:11:93:19 | targetURL | provenance | Config |
+| SafeUrlFlow.go:92:2:92:10 | targetURL | SafeUrlFlow.go:93:11:93:19 | targetURL | provenance |  |
+| SafeUrlFlow.go:93:11:93:19 | targetURL | SafeUrlFlow.go:93:11:93:28 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:107:11:107:23 | reconstructed | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:110:24:110:46 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:111:29:111:54 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:112:12:112:38 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | SafeUrlFlow.go:113:12:113:21 | opaquePart | provenance | Src:MaD:2  |
 models
 | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual |
 | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
@@ -72,6 +76,7 @@ nodes
 | SafeUrlFlow.go:13:13:13:19 | selection of URL | semmle.label | selection of URL |
 | SafeUrlFlow.go:14:29:14:35 | baseURL | semmle.label | baseURL |
 | SafeUrlFlow.go:14:29:14:44 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:17:2:17:10 | targetURL | semmle.label | targetURL |
 | SafeUrlFlow.go:17:19:17:22 | host | semmle.label | host |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | semmle.label | targetURL |
 | SafeUrlFlow.go:18:11:18:28 | call to String | semmle.label | call to String |
@@ -104,12 +109,16 @@ nodes
 | SafeUrlFlow.go:79:40:79:55 | call to String | semmle.label | call to String |
 | SafeUrlFlow.go:85:10:85:17 | selection of Host | semmle.label | selection of Host |
 | SafeUrlFlow.go:88:19:88:22 | host | semmle.label | host |
-| SafeUrlFlow.go:90:24:90:32 | targetURL | semmle.label | targetURL |
-| SafeUrlFlow.go:90:24:90:41 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:101:13:101:19 | selection of URL | semmle.label | selection of URL |
-| SafeUrlFlow.go:111:11:111:23 | reconstructed | semmle.label | reconstructed |
-| SafeUrlFlow.go:114:24:114:46 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:115:29:115:54 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:116:12:116:38 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:117:12:117:21 | opaquePart | semmle.label | opaquePart |
+| SafeUrlFlow.go:92:2:92:10 | targetURL | semmle.label | targetURL |
+| SafeUrlFlow.go:93:11:93:19 | targetURL | semmle.label | targetURL |
+| SafeUrlFlow.go:93:11:93:28 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:97:13:97:19 | selection of URL | semmle.label | selection of URL |
+| SafeUrlFlow.go:107:11:107:23 | reconstructed | semmle.label | reconstructed |
+| SafeUrlFlow.go:110:24:110:46 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:111:29:111:54 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:112:12:112:38 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:113:12:113:21 | opaquePart | semmle.label | opaquePart |
 subpaths
+testFailures
+| SafeUrlFlow.go:90:62:90:71 | comment | Missing result: Alert |
+| SafeUrlFlow.go:93:11:93:28 | call to String | Unexpected result: Alert |
diff --git a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go
@@ -88,13 +88,9 @@ func testHostFieldAssignmentFlow(w http.ResponseWriter, req *http.Request) {
 	targetURL.Host = host // additional flow step from Host field to URL struct
 
 	http.Redirect(w, req, targetURL.String(), http.StatusFound) // $ Alert
-}
-
-func testHostFieldOverwritten(w http.ResponseWriter, req *http.Request) {
-	baseURL := req.URL
 
-	baseURL.Host = "something.else.com" // barrier edge (Host field overwritten) blocks flow here
-	http.Get(baseURL.String())
+	targetURL.Host = "something.else.com" // barrier edge (Host field overwritten) blocks flow here
+	http.Get(targetURL.String())
 }
 
 func testFieldAccess(w http.ResponseWriter, req *http.Request) {
