From 05761bc2cd060524c8ae8cfcd141842f0b09f7c9 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Fri, 27 Mar 2020 04:03:30 -0700
Subject: [PATCH] Address review comments

---
 .../OpenUrlRedirectCustomizations.qll         | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
index 8582d73684f..5dee255d104 100644
--- a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
+++ b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -46,19 +46,26 @@ module OpenUrlRedirect {
     UntrustedFlowAsSource() {
       // exclude some fields and methods of URLs that are generally not attacker-controllable for
       // open redirect exploits
-      not exists(string fieldName |
-        this.(DataFlow::FieldReadNode).getField().hasQualifiedName("net/http", "Request", fieldName)
+      not exists(Field f, string fieldName |
+        f.hasQualifiedName("net/http", "Request", fieldName) and
+        this = f.getARead()
       |
-        fieldName = "Header" or fieldName = "Trailer"
+        fieldName = "Body" or
+        fieldName = "GetBody" or
+        fieldName = "PostForm" or
+        fieldName = "MultipartForm" or
+        fieldName = "Header" or
+        fieldName = "Trailer"
       ) and
-      not exists(string methName |
-        this
-            .(DataFlow::MethodCallNode)
-            .getTarget()
-            .hasQualifiedName("net/http", "Request", methName)
+      not exists(Method m, string methName |
+        m.hasQualifiedName("net/http", "Request", methName) and
+        this = m.getACall()
       |
         methName = "Cookie" or
         methName = "Cookies" or
+        methName = "FormValue" or
+        methName = "MultipartReader" or
+        methName = "PostFormValues" or
         methName = "Referer" or
         methName = "UserAgent"
       )