From 9321ff91101b48135f21c9395f5c9b2c597d24a1 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Tue, 24 Mar 2020 08:47:52 -0700
Subject: [PATCH] OpenUrlRedirect: Add support for url.Host reassignments

---
 ql/src/semmle/go/security/OpenUrlRedirect.qll | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ql/src/semmle/go/security/OpenUrlRedirect.qll b/ql/src/semmle/go/security/OpenUrlRedirect.qll
index 4fe1a53563c..d2ced212267 100644
--- a/ql/src/semmle/go/security/OpenUrlRedirect.qll
+++ b/ql/src/semmle/go/security/OpenUrlRedirect.qll
@@ -41,9 +41,21 @@ module OpenUrlRedirect {
       or
       // taint steps that do not include flow through fields
       TaintTracking::localTaintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
+      or
+      // propagate to a URL when its host is assigned to
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
+      )
     }
 
-    override predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
+    override predicate isBarrierOut(DataFlow::Node node) {
+      // block propagation of this unsafe value when its host is overwritten
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(node.getASuccessor(), f, _)
+      )
+      or
+      hostnameSanitizingPrefixEdge(node, _)
+    }
 
     override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
       guard instanceof BarrierGuard