From 49aa43bd49c8ac1b093cdb2d388c8b02f2ca260d Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Tue, 24 Mar 2020 02:52:09 -0700
Subject: [PATCH] Make header `Get` and `Values` calls into taint steps

---
 ql/src/semmle/go/frameworks/HTTP.qll | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/ql/src/semmle/go/frameworks/HTTP.qll b/ql/src/semmle/go/frameworks/HTTP.qll
index 20da009e8d1..d6554b25f49 100644
--- a/ql/src/semmle/go/frameworks/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -15,12 +15,20 @@ private module StdlibHttp {
     }
   }
 
-  private class HeaderGetCall extends UntrustedFlowSource::Range, DataFlow::MethodCallNode {
-    HeaderGetCall() { this.getTarget().hasQualifiedName("net/http", "Header", "Get") }
+  private class HeaderGet extends TaintTracking::FunctionModel, Method {
+    HeaderGet() { this.hasQualifiedName("net/http", "Header", "Get") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
   }
 
-  private class HeaderValuesCall extends UntrustedFlowSource::Range, DataFlow::MethodCallNode {
-    HeaderValuesCall() { this.getTarget().hasQualifiedName("net/http", "Header", "Values") }
+  private class HeaderValues extends TaintTracking::FunctionModel, Method {
+    HeaderValues() { this.hasQualifiedName("net/http", "Header", "Values") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
   }
 
   private class StdlibResponseWriter extends HTTP::ResponseWriter::Range {