diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll index 0cd86b12abb..03b6f9ac0b0 100644 --- a/go/ql/lib/semmle/go/security/RequestForgery.qll +++ b/go/ql/lib/semmle/go/security/RequestForgery.qll @@ -27,9 +27,8 @@ module RequestForgery { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { // propagate to a URL when its host is assigned to - exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") | - w.writesFieldPreUpdate(v.getAUse(), f, pred) and - succ = v.getAUse() + exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") | + w.writesField(succ, f, pred) ) } diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 188abc9c7f9..129613a3f1a 100644 --- a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -37,9 +37,10 @@ edges | tst.go:10:13:10:35 | call to FormValue | tst.go:38:11:38:29 | ...+... | provenance | Src:MaD:1 | | tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:40 | ...+... | provenance | Src:MaD:1 | | tst.go:10:13:10:35 | call to FormValue | tst.go:47:11:47:18 | tainted2 | provenance | Src:MaD:1 | -| tst.go:47:2:47:2 | u | tst.go:48:11:48:11 | u | provenance | | -| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u | provenance | Config | -| tst.go:47:11:47:18 | tainted2 | tst.go:48:11:48:11 | u | provenance | Config | +| tst.go:47:2:47:2 | implicit dereference [postupdate] | tst.go:47:2:47:2 | u [postupdate] | provenance | | +| tst.go:47:2:47:2 | u [postupdate] | tst.go:48:11:48:11 | u | provenance | | +| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | implicit dereference [postupdate] | provenance | Config | +| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u [postupdate] | provenance | Config | | tst.go:48:11:48:11 | u | tst.go:48:11:48:20 | call to String | provenance | MaD:3 | | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 | | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 | @@ -70,7 +71,8 @@ nodes | tst.go:36:18:36:24 | tainted | semmle.label | tainted | | tst.go:38:11:38:29 | ...+... | semmle.label | ...+... | | tst.go:40:11:40:40 | ...+... | semmle.label | ...+... | -| tst.go:47:2:47:2 | u | semmle.label | u | +| tst.go:47:2:47:2 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] | +| tst.go:47:2:47:2 | u [postupdate] | semmle.label | u [postupdate] | | tst.go:47:11:47:18 | tainted2 | semmle.label | tainted2 | | tst.go:48:11:48:11 | u | semmle.label | u | | tst.go:48:11:48:20 | call to String | semmle.label | call to String |