From 8a306af77b65bf9d25fc913cf89178646d9a32a8 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Thu, 5 Nov 2020 21:36:36 -0800
Subject: [PATCH] Make HTTP::ResponseWriter handle PostUpdateNodes in getANode

---
 ql/src/semmle/go/Concepts.qll | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ql/src/semmle/go/Concepts.qll b/ql/src/semmle/go/Concepts.qll
index e84569852dd..9ea5f5e4056 100644
--- a/ql/src/semmle/go/Concepts.qll
+++ b/ql/src/semmle/go/Concepts.qll
@@ -366,7 +366,12 @@ module HTTP {
      * extend `HTTP::ResponseWriter` instead.
      */
     abstract class Range extends Variable {
-      /** Gets a data-flow node that is a use of this response writer. */
+      /**
+       * Gets a data-flow node that is a use of this response writer.
+       *
+       * Note that `PostUpdateNode`s for nodes that this predicate gets do not need to be
+       * included, as they are handled by the concrete `ResponseWriter`'s `getANode`.
+       */
       abstract DataFlow::Node getANode();
     }
   }
@@ -392,7 +397,10 @@ module HTTP {
     Redirect getARedirect() { result.getResponseWriter() = this }
 
     /** Gets a data-flow node that is a use of this response writer. */
-    DataFlow::Node getANode() { result = self.getANode() }
+    DataFlow::Node getANode() {
+      result = self.getANode() or
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() = self.getANode()
+    }
   }
 
   /** Provides a class for modeling new HTTP header-write APIs. */