diff --git a/ql/src/Security/CWE-918/RequestForgery.qhelp b/ql/src/Security/CWE-918/RequestForgery.qhelp index 9692adeb016..c9937e5669f 100644 --- a/ql/src/Security/CWE-918/RequestForgery.qhelp +++ b/ql/src/Security/CWE-918/RequestForgery.qhelp @@ -19,8 +19,8 @@ requests to other servers, potentially resulting in a DDOS attack.

To guard against request forgery, it is advisable to avoid putting user input directly into a -network request. If a flexible network request mechanism is required, it is recommended tomaintain a -list of authorized request targets and choose from that list based on the user input provided. +network request. If a flexible network request mechanism is required, it is recommended to maintain +a list of authorized request targets and choose from that list based on the user input provided.

diff --git a/ql/src/semmle/go/frameworks/HTTP.qll b/ql/src/semmle/go/frameworks/HTTP.qll index 6b4f3cc4a01..44e0cd23533 100644 --- a/ql/src/semmle/go/frameworks/HTTP.qll +++ b/ql/src/semmle/go/frameworks/HTTP.qll @@ -201,22 +201,21 @@ private module StdlibHttp { ClientDo() { this.getTarget().hasQualifiedName("net/http", "Client", "Do") } override DataFlow::Node getUrl() { - exists(DataFlow::CallNode call, FunctionOutput outp | - call.getTarget().hasQualifiedName("net/http", "NewRequest") and - outp.isResult(0) - | - this.getArgument(0) = outp.getNode(call).getASuccessor*() and + // A URL passed to `NewRequest`, whose result is passed to this `Do` call + exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("net/http", "NewRequest") | + this.getArgument(0) = call.getResult(0).getASuccessor*() and result = call.getArgument(1) ) or - exists(DataFlow::CallNode call, FunctionOutput outp | - call.getTarget().hasQualifiedName("net/http", "NewRequestWithContext") and - outp.isResult(0) + // A URL passed to `NewRequestWithContext`, whose result is passed to this `Do` call + exists(DataFlow::CallNode call | + call.getTarget().hasQualifiedName("net/http", "NewRequestWithContext") | - this.getArgument(0) = outp.getNode(call).getASuccessor*() and + this.getArgument(0) = call.getResult(0).getASuccessor*() and result = call.getArgument(2) ) or + // A URL assigned to a request that is passed to this `Do` call exists(Write w, Field f | f.hasQualifiedName("net/http", "Request", "URL") and w.writesField(this.getArgument(0).getAPredecessor*(), f, result)