From 7e314f037ade1ef5117739bbb78dcc7980a57da5 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Wed, 20 May 2020 14:27:00 +0100
Subject: [PATCH 1/5] Fix frontend errors in
 ql/test/library-tests/semmle/go/Packages.

---
 .../semmle/go/Packages/package.expected       |  2 ++
 .../semmle/go/Packages/package.ql             | 18 +++++++++++++++
 .../semmle/go/Packages/packagePredicate.go    | 22 -------------------
 .../semmle/go/Packages/predicate.expected     |  2 --
 .../semmle/go/Packages/predicate.ql           |  8 -------
 5 files changed, 20 insertions(+), 32 deletions(-)
 create mode 100644 ql/test/library-tests/semmle/go/Packages/package.expected
 create mode 100644 ql/test/library-tests/semmle/go/Packages/package.ql
 delete mode 100644 ql/test/library-tests/semmle/go/Packages/packagePredicate.go
 delete mode 100644 ql/test/library-tests/semmle/go/Packages/predicate.expected
 delete mode 100644 ql/test/library-tests/semmle/go/Packages/predicate.ql

diff --git a/ql/test/library-tests/semmle/go/Packages/package.expected b/ql/test/library-tests/semmle/go/Packages/package.expected
new file mode 100644
index 00000000000..256819c6151
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/Packages/package.expected
@@ -0,0 +1,2 @@
+| PackageName/test |
+| PackageName/v2/test |
diff --git a/ql/test/library-tests/semmle/go/Packages/package.ql b/ql/test/library-tests/semmle/go/Packages/package.ql
new file mode 100644
index 00000000000..ff083b52aa7
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/Packages/package.ql
@@ -0,0 +1,18 @@
+import go
+
+from string path
+where
+  (
+    path = "PackageName/v2/test" or // OK
+    path = "PackageName/test" or // OK
+    path = "PackageName//v//test" or // NOT OK
+    path = "PackageName//v/test" or // NOT OK
+    path = "PackageName/v//test" or // NOT OK
+    path = "PackageName/v/asd/v2/test" or // NOT OK
+    path = "PackageName/v/test" or // NOT OK
+    path = "PackageName//v2//test" or // NOT OK
+    path = "PackageName//v2/test" or // NOT OK
+    path = "PackageName/v2//test" // NOT OK
+  ) and
+  path = package("PackageName", "test")
+select path
diff --git a/ql/test/library-tests/semmle/go/Packages/packagePredicate.go b/ql/test/library-tests/semmle/go/Packages/packagePredicate.go
deleted file mode 100644
index dc0500dd1a3..00000000000
--- a/ql/test/library-tests/semmle/go/Packages/packagePredicate.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package main
-
-import (
-	"fmt"
-
-	_ "PackageName//v//test"      // Not OK
-	_ "PackageName//v/test"       // Not OK
-	_ "PackageName/test"          // OK
-	_ "PackageName/v//test"       // Not OK
-	_ "PackageName/v/asd/v2/test" // Not OK
-	_ "PackageName/v/test"        // Not OK
-
-	_ "PackageName//v2//test" // Not OK
-	_ "PackageName//v2/test"  // Not OK
-	_ "PackageName/v2//test"  // Not OK
-	_ "PackageName/v2/test"   //OK
-)
-
-func main() {
-	pkg.Foo()
-	fmt.Println("")
-}
diff --git a/ql/test/library-tests/semmle/go/Packages/predicate.expected b/ql/test/library-tests/semmle/go/Packages/predicate.expected
deleted file mode 100644
index fb9cf20d4d2..00000000000
--- a/ql/test/library-tests/semmle/go/Packages/predicate.expected
+++ /dev/null
@@ -1,2 +0,0 @@
-| package PackageName/test | PackageName/test |
-| package PackageName/v2/test | PackageName/v2/test |
diff --git a/ql/test/library-tests/semmle/go/Packages/predicate.ql b/ql/test/library-tests/semmle/go/Packages/predicate.ql
deleted file mode 100644
index 9a4cdd003ce..00000000000
--- a/ql/test/library-tests/semmle/go/Packages/predicate.ql
+++ /dev/null
@@ -1,8 +0,0 @@
-import go
-
-from Package pkg, string mod, string path
-where
-  packages(pkg, _, package(mod, path), _) and
-  mod = "PackageName" and
-  path = "test"
-select pkg, pkg.getPath()

From 77738283476c2c734bbd8a438d2a280d25de1ae2 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Wed, 20 May 2020 14:34:22 +0100
Subject: [PATCH 2/5] Fix frontend errors in
 ql/test/library-tests/semmle/go/frameworks/Websocket.

---
 .../go/frameworks/Websocket/DialFunction.expected     |  8 ++++----
 .../semmle/go/frameworks/Websocket/DialFunction.go    | 11 +++++------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected
index e714b20e5d6..c68fd7f8357 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected
@@ -1,8 +1,8 @@
-| DialFunction.go:25:11:25:52 | call to Dial | DialFunction.go:25:26:25:39 | untrustedInput |
-| DialFunction.go:28:12:28:39 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
+| DialFunction.go:25:2:25:43 | call to Dial | DialFunction.go:25:17:25:30 | untrustedInput |
+| DialFunction.go:28:2:28:29 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
 | DialFunction.go:30:2:30:49 | call to Dial | DialFunction.go:30:30:30:43 | untrustedInput |
-| DialFunction.go:33:2:33:38 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
-| DialFunction.go:35:2:35:61 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
+| DialFunction.go:33:2:33:33 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
+| DialFunction.go:35:2:35:56 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
 | DialFunction.go:37:2:37:44 | call to Dial | DialFunction.go:37:30:37:43 | untrustedInput |
 | DialFunction.go:40:2:40:45 | call to Dial | DialFunction.go:40:31:40:44 | untrustedInput |
 | DialFunction.go:42:2:42:31 | call to BuildProxy | DialFunction.go:42:17:42:30 | untrustedInput |
diff --git a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go
index 520bd08f945..a1153b8d8e4 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go
@@ -17,22 +17,22 @@ import (
 )
 
 func main() {
-	untrustedInput := r.Referer()
+	untrustedInput := "referrer"
 
 	origin := "http://localhost/"
 
 	// bad as input is directly passed to dial function
-	ws, _ := websocket.Dial(untrustedInput, "", origin)
+	websocket.Dial(untrustedInput, "", origin)
 
 	config, _ := websocket.NewConfig(untrustedInput, origin) // good
-	ws2, _ := websocket.DialConfig(config)
+	websocket.DialConfig(config)
 
 	nhooyr.Dial(context.TODO(), untrustedInput, nil)
 
 	dialer := gorilla.Dialer{}
-	dialer.Dial(untrustedInput, r.Header)
+	dialer.Dial(untrustedInput, nil)
 
-	dialer.DialContext(context.TODO(), untrustedInput, r.Header)
+	dialer.DialContext(context.TODO(), untrustedInput, nil)
 
 	gobwas.Dial(context.TODO(), untrustedInput)
 
@@ -41,5 +41,4 @@ func main() {
 
 	sac.BuildProxy(untrustedInput)
 	sac.New(untrustedInput)
-
 }

From b871f54e4dbc8dcf3b96b43a0bfd77e7300cabb4 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Wed, 20 May 2020 14:34:36 +0100
Subject: [PATCH 3/5] Fix frontend error in
 ql/test/query-tests/Security/CWE-079.

---
 ql/test/query-tests/Security/CWE-079/tst.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ql/test/query-tests/Security/CWE-079/tst.go b/ql/test/query-tests/Security/CWE-079/tst.go
index 76bb3d8fe4c..dfdf3bbf6b0 100644
--- a/ql/test/query-tests/Security/CWE-079/tst.go
+++ b/ql/test/query-tests/Security/CWE-079/tst.go
@@ -65,7 +65,7 @@ func serve9(log io.Writer) {
 		r.ParseForm()
 		username := r.Form.Get("username")
 		// OK: not a ResponseWriter
-		log.Write(username)
+		log.Write([]byte(username))
 	})
 	http.ListenAndServe(":80", nil)
 }

From ed3a06ea5ddb38d9f2a33ca27656a622c79c48ab Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Wed, 20 May 2020 14:35:01 +0100
Subject: [PATCH 4/5] Autoformat QL.

---
 .../go/security/AllocationSizeOverflowCustomizations.qll      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll b/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
index dd4502e059a..0dbc26bd70e 100644
--- a/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
+++ b/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
@@ -51,9 +51,7 @@ module AllocationSizeOverflow {
       exists(MarshalingFunction marshal, DataFlow::CallNode call |
         call = marshal.getACall() and
         // rule out cases where we can tell that the result will always be small
-        exists(FunctionInput inp | inp = marshal.getAnInput() |
-          isBig(inp.getNode(call).asExpr())
-        ) and
+        exists(FunctionInput inp | inp = marshal.getAnInput() | isBig(inp.getNode(call).asExpr())) and
         this = marshal.getOutput().getNode(call)
       )
     }

From 4a5b29e78fc84ecd8b4fb0a6f1b6baa509d54089 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Wed, 20 May 2020 14:37:38 +0100
Subject: [PATCH 5/5] Add a missing qldoc comment.

---
 ql/src/semmle/go/frameworks/Stdlib.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll
index ed386711767..709e9c838e7 100644
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -791,6 +791,7 @@ module Log {
 
 /** Provides models of some functions in the `encoding/json` package. */
 module EncodingJson {
+  /** The `Marshal` or `MarshalIndent` function in the `encoding/json` package. */
   class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
     MarshalFunction() {
       this.hasQualifiedName("encoding/json", "Marshal") or