Go: exclude net/http.Header.Set and .Del from go/untrusted-data-to-external-api

These functions (and doubtless many others) are write-only with respect to their receiver argument, so it doesn't really make sense to flag externally-controlled data flowing there.

go/ql/lib/semmle/go/security/ExternalAPIs.qll

@@ -19,6 +19,16 @@ abstract class SafeExternalApiFunction extends Function { }
 /** DEPRECATED: Alias for SafeExternalApiFunction */
 deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
 
+/**
+ * A `Function` with one or more arguments that are considered "safe" from a security perspective.
+ */
+abstract class SafeExternalApiArgument extends Function {
+  /**
+   * Holds if `i` is a safe argument to this function.
+   */
+  abstract predicate isSafeArgument(int i);
+}
+
 private predicate isDefaultSafePackage(Package package) {
   package.getPath() in ["time", "unicode/utf8", package("gopkg.in/go-playground/validator", "")]
 }
@@ -44,6 +54,16 @@ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
   }
 }
 
+private class DefaultSafeExternalApiFunctionArgument extends SafeExternalApiArgument {
+  int index;
+
+  DefaultSafeExternalApiFunctionArgument() {
+    this.(Method).hasQualifiedName("net/http", "Header", ["Set", "Del"]) and index = -1
+  }
+
+  override predicate isSafeArgument(int i) { i = index }
+}
+
 /** Holds if `callNode` is a local function pointer. */
 private predicate isProbableLocalFunctionPointer(DataFlow::CallNode callNode) {
   // Not a method call
@@ -77,7 +97,9 @@ class ExternalApiDataNode extends DataFlow::Node {
     // Not already modeled as a taint step
     not TaintTracking::localTaintStep(this, _) and
     // Not a call to a known safe external API
-    not call.getTarget() instanceof SafeExternalApiFunction
+    not call.getTarget() instanceof SafeExternalApiFunction and
+    // Not a known safe argument to an external API
+    not any(SafeExternalApiArgument seaa).isSafeArgument(i)
   }
 
   /** Gets the called API `Function`. */