Convert XPath injection sinks to MaD

go/ql/lib/ext/github.com.antchfx.htmlquery.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/htmlquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.jsonquery.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/jsonquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.xmlquery.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/xmlquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindEach", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindEachWithBreak", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "Node", True, "SelectElement", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "Node", True, "SelectElements", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.xpath.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/xpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "CompileWithNS", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "MustCompile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "Select", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.christrenkamp.goxpath.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "MustParse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "ParseExec", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.go-xmlpath.xmlpath.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/go-xmlpath/xmlpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/go-xmlpath/xmlpath", "", True, "MustCompile", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.jbowtie.gokogiri.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/jbowtie/gokogiri/xpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.jbowtie.gokogiri.xml.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "Search", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "SearchWithVariables", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "EvalXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "EvalXPathAsBoolean", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.lestrrat-go.libxml2.parser.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "ParseReader", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "ParseString", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.santhosh-tekuri.xpathparser.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/santhosh-tekuri/xpathparser", "", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/santhosh-tekuri/xpathparser", "", True, "MustParse", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/semmle/go/frameworks/XPath.qll

@@ -3,6 +3,7 @@
  */
 
 import go
+import semmle.go.dataflow.ExternalFlow
 
 /** Provides classes for working with XPath-related APIs. */
 module XPath {
@@ -24,186 +25,24 @@ module XPath {
      */
     abstract class Range extends DataFlow::Node { }
 
-    /**
-     * An XPath expression string used in an API function of the
-     * [XPath](https://github.com/antchfx/xpath) package.
-     */
-    private class AntchfxXpathXPathExpressionString extends Range {
-      AntchfxXpathXPathExpressionString() {
-        exists(Function f, string name | name.matches("Compile%") |
-          f.hasQualifiedName(package("github.com/antchfx/xpath", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Function f, string name | name.matches("MustCompile%") |
-          f.hasQualifiedName(package("github.com/antchfx/xpath", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Function f, string name | name.matches("Select%") |
-          f.hasQualifiedName(package("github.com/antchfx/xpath", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [htmlquery](https://github.com/antchfx/htmlquery) package.
-     */
-    private class AntchfxHtmlqueryXPathExpressionString extends Range {
-      AntchfxHtmlqueryXPathExpressionString() {
-        exists(Function f, string name | name.matches("Find%") |
-          f.hasQualifiedName(package("github.com/antchfx/htmlquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-        or
-        exists(Function f, string name | name.matches("Query%") |
-          f.hasQualifiedName(package("github.com/antchfx/htmlquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [xmlquery](https://github.com/antchfx/xmlquery) package.
-     */
-    private class AntchfxXmlqueryXPathExpressionString extends Range {
-      AntchfxXmlqueryXPathExpressionString() {
-        exists(Function f, string name | name.matches("Find%") |
-          f.hasQualifiedName(package("github.com/antchfx/xmlquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-        or
-        exists(Function f, string name | name.matches("Query%") |
-          f.hasQualifiedName(package("github.com/antchfx/xmlquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-        or
-        exists(Method m, string name | name.matches("Select%") |
-          m.hasQualifiedName(package("github.com/antchfx/xmlquery", ""), "Node", name) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [jsonquery](https://github.com/antchfx/jsonquery) package.
-     */
-    private class AntchfxJsonqueryXPathExpressionString extends Range {
-      AntchfxJsonqueryXPathExpressionString() {
-        exists(Function f, string name | name.matches("Find%") |
-          f.hasQualifiedName(package("github.com/antchfx/jsonquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-        or
-        exists(Function f, string name | name.matches("Query%") |
-          f.hasQualifiedName(package("github.com/antchfx/jsonquery", ""), name) and
-          this = f.getACall().getArgument(1)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [xmlpath](https://github.com/go-xmlpath/xmlpath) package.
-     */
-    private class GoXmlpathXmlpathXPathExpressionString extends Range {
-      GoXmlpathXmlpathXPathExpressionString() {
-        exists(Function f, string name | name.matches("Compile%") |
-          f.hasQualifiedName(XmlPath::packagePath(), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Function f, string name | name.matches("MustCompile%") |
-          f.hasQualifiedName(XmlPath::packagePath(), name) and
-          this = f.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [goxpath](https://github.com/ChrisTrenkamp/goxpath) package.
-     */
-    private class ChrisTrenkampGoxpathXPathExpressionString extends Range {
-      ChrisTrenkampGoxpathXPathExpressionString() {
-        exists(Function f, string name | name.matches("Parse%") |
-          f.hasQualifiedName(package("github.com/ChrisTrenkamp/goxpath", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Function f, string name | name.matches("MustParse%") |
-          f.hasQualifiedName(package("github.com/ChrisTrenkamp/goxpath", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [lestrrat-go/libxml2](https://github.com/lestrrat-go/libxml2) package.
-     */
-    private class LestratGoLibxml2XPathExpressionString extends Range {
-      LestratGoLibxml2XPathExpressionString() {
-        exists(Method m, string name | name.matches("Parse%") |
-          m.hasQualifiedName(package("github.com/lestrrat-go/libxml2", "parser"), "Parser", name) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [xpathparser](https://github.com/santhosh-tekuri/xpathparser) package.
-     */
-    private class SanthoshTekuriXpathparserXPathExpressionString extends Range {
-      SanthoshTekuriXpathparserXPathExpressionString() {
-        exists(Function f, string name | name.matches("Parse%") |
-          f.hasQualifiedName(package("github.com/santhosh-tekuri/xpathparser", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Function f, string name | name.matches("MustParse%") |
-          f.hasQualifiedName(package("github.com/santhosh-tekuri/xpathparser", ""), name) and
-          this = f.getACall().getArgument(0)
-        )
-      }
-    }
-
-    /**
-     * An XPath expression string used in an API function of the
-     * [gokogiri]https://github.com/jbowtie/gokogiri) package.
-     */
-    private class JbowtieGokogiriXPathExpressionString extends Range {
-      JbowtieGokogiriXPathExpressionString() {
-        exists(Function f, string name | name.matches("Compile%") |
-          f.hasQualifiedName(package("github.com/jbowtie/gokogiri", "xpath"), name) and
-          this = f.getACall().getArgument(0)
-        )
-        or
-        exists(Method m, string name | name.matches("Search%") |
-          m.hasQualifiedName(package("github.com/jbowtie/gokogiri", "xml"), "Node", name) and
-          this = m.getACall().getArgument(0)
-        )
-        or
-        exists(Method m, string name | name.matches("EvalXPath%") |
-          m.hasQualifiedName(package("github.com/jbowtie/gokogiri", "xml"), "Node", name) and
-          this = m.getACall().getArgument(0)
-        )
-      }
+    private class DefaultXPathExpressionString extends Range {
+      DefaultXPathExpressionString() { sinkNode(this, "xpath-injection") }
     }
   }
 }
 
 /**
+ * DEPRECATED
+ *
  * Provides classes for working with the [xmlpath](https://gopkg.in/xmlpath.v2) package.
  */
-module XmlPath {
-  /** Gets the package name `github.com/go-xmlpath/xmlpath` or `gopkg.in/xmlpath`. */
-  string packagePath() {
+deprecated module XmlPath {
+  /**
+   * DEPRECATED
+   *
+   * Gets the package name `github.com/go-xmlpath/xmlpath` or `gopkg.in/xmlpath`.
+   */
+  deprecated string packagePath() {
     result = package(["github.com/go-xmlpath/xmlpath", "gopkg.in/xmlpath"], "")
   }
 }

go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected

@@ -1,61 +1,61 @@
 edges
-| XPathInjection.go:13:14:13:19 | selection of Form | XPathInjection.go:13:14:13:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| XPathInjection.go:13:14:13:35 | call to Get | XPathInjection.go:16:29:16:91 | ...+... | provenance |  |
-| tst.go:35:14:35:19 | selection of Form | tst.go:35:14:35:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:35:14:35:35 | call to Get | tst.go:38:23:38:85 | ...+... | provenance |  |
-| tst.go:35:14:35:35 | call to Get | tst.go:39:29:39:87 | ...+... | provenance |  |
-| tst.go:35:14:35:35 | call to Get | tst.go:40:24:40:86 | ...+... | provenance |  |
-| tst.go:35:14:35:35 | call to Get | tst.go:41:24:41:82 | ...+... | provenance |  |
-| tst.go:46:14:46:19 | selection of Form | tst.go:46:14:46:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:46:14:46:35 | call to Get | tst.go:49:26:49:84 | ...+... | provenance |  |
-| tst.go:46:14:46:35 | call to Get | tst.go:50:29:50:87 | ...+... | provenance |  |
-| tst.go:46:14:46:35 | call to Get | tst.go:51:30:51:88 | ...+... | provenance |  |
-| tst.go:46:14:46:35 | call to Get | tst.go:52:33:52:91 | ...+... | provenance |  |
-| tst.go:57:14:57:19 | selection of Form | tst.go:57:14:57:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:57:14:57:35 | call to Get | tst.go:60:25:60:83 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:61:28:61:86 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:62:25:62:83 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:63:34:63:92 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:64:29:64:87 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:65:32:65:90 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:66:23:66:85 | ...+... | provenance |  |
-| tst.go:57:14:57:35 | call to Get | tst.go:67:22:67:84 | ...+... | provenance |  |
-| tst.go:72:14:72:19 | selection of Form | tst.go:72:14:72:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:72:14:72:35 | call to Get | tst.go:75:26:75:84 | ...+... | provenance |  |
-| tst.go:72:14:72:35 | call to Get | tst.go:76:29:76:87 | ...+... | provenance |  |
-| tst.go:72:14:72:35 | call to Get | tst.go:77:30:77:88 | ...+... | provenance |  |
-| tst.go:72:14:72:35 | call to Get | tst.go:78:33:78:91 | ...+... | provenance |  |
-| tst.go:83:14:83:19 | selection of Form | tst.go:83:14:83:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:83:14:83:35 | call to Get | tst.go:86:25:86:87 | ...+... | provenance |  |
-| tst.go:83:14:83:35 | call to Get | tst.go:87:26:87:88 | ...+... | provenance |  |
-| tst.go:92:14:92:19 | selection of Form | tst.go:92:14:92:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:92:14:92:35 | call to Get | tst.go:96:23:96:126 | ...+... | provenance |  |
-| tst.go:92:14:92:35 | call to Get | tst.go:97:24:97:127 | ...+... | provenance |  |
-| tst.go:92:14:92:35 | call to Get | tst.go:98:27:98:122 | ...+... | provenance |  |
-| tst.go:93:14:93:19 | selection of Form | tst.go:93:14:93:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:93:14:93:35 | call to Get | tst.go:96:23:96:126 | ...+... | provenance |  |
-| tst.go:93:14:93:35 | call to Get | tst.go:97:24:97:127 | ...+... | provenance |  |
-| tst.go:93:14:93:35 | call to Get | tst.go:98:27:98:122 | ...+... | provenance |  |
-| tst.go:106:14:106:19 | selection of Form | tst.go:106:14:106:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:106:14:106:35 | call to Get | tst.go:109:27:109:89 | ...+... | provenance |  |
-| tst.go:106:14:106:35 | call to Get | tst.go:110:28:110:90 | ...+... | provenance |  |
-| tst.go:115:14:115:19 | selection of Form | tst.go:115:14:115:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:115:14:115:35 | call to Get | tst.go:119:33:119:136 | ...+... | provenance |  |
-| tst.go:115:14:115:35 | call to Get | tst.go:120:18:120:121 | ...+... | provenance |  |
-| tst.go:115:14:115:35 | call to Get | tst.go:121:31:121:126 | ...+... | provenance |  |
-| tst.go:115:14:115:35 | call to Get | tst.go:122:21:122:116 | ...+... | provenance |  |
-| tst.go:115:14:115:35 | call to Get | tst.go:123:27:123:122 | ...+... | provenance |  |
-| tst.go:116:14:116:19 | selection of Form | tst.go:116:14:116:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:116:14:116:35 | call to Get | tst.go:119:33:119:136 | ...+... | provenance |  |
-| tst.go:116:14:116:35 | call to Get | tst.go:120:18:120:121 | ...+... | provenance |  |
-| tst.go:116:14:116:35 | call to Get | tst.go:121:31:121:126 | ...+... | provenance |  |
-| tst.go:116:14:116:35 | call to Get | tst.go:122:21:122:116 | ...+... | provenance |  |
-| tst.go:116:14:116:35 | call to Get | tst.go:123:27:123:122 | ...+... | provenance |  |
-| tst.go:139:14:139:19 | selection of Form | tst.go:139:14:139:35 | call to Get | provenance | Src:MaD:830 MaD:903 |
-| tst.go:139:14:139:35 | call to Get | tst.go:144:17:144:87 | type conversion | provenance |  |
+| XPathInjection.go:13:14:13:19 | selection of Form | XPathInjection.go:13:14:13:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| XPathInjection.go:13:14:13:35 | call to Get | XPathInjection.go:16:29:16:91 | ...+... | provenance |  Sink:MaD:322 |
+| tst.go:35:14:35:19 | selection of Form | tst.go:35:14:35:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:35:14:35:35 | call to Get | tst.go:38:23:38:85 | ...+... | provenance |  Sink:MaD:266 |
+| tst.go:35:14:35:35 | call to Get | tst.go:39:29:39:87 | ...+... | provenance |  Sink:MaD:267 |
+| tst.go:35:14:35:35 | call to Get | tst.go:40:24:40:86 | ...+... | provenance |  Sink:MaD:268 |
+| tst.go:35:14:35:35 | call to Get | tst.go:41:24:41:82 | ...+... | provenance |  Sink:MaD:269 |
+| tst.go:46:14:46:19 | selection of Form | tst.go:46:14:46:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:46:14:46:35 | call to Get | tst.go:49:26:49:84 | ...+... | provenance |  Sink:MaD:250 |
+| tst.go:46:14:46:35 | call to Get | tst.go:50:29:50:87 | ...+... | provenance |  Sink:MaD:251 |
+| tst.go:46:14:46:35 | call to Get | tst.go:51:30:51:88 | ...+... | provenance |  Sink:MaD:252 |
+| tst.go:46:14:46:35 | call to Get | tst.go:52:33:52:91 | ...+... | provenance |  Sink:MaD:253 |
+| tst.go:57:14:57:19 | selection of Form | tst.go:57:14:57:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:57:14:57:35 | call to Get | tst.go:60:25:60:83 | ...+... | provenance |  Sink:MaD:258 |
+| tst.go:57:14:57:35 | call to Get | tst.go:61:28:61:86 | ...+... | provenance |  Sink:MaD:259 |
+| tst.go:57:14:57:35 | call to Get | tst.go:62:25:62:83 | ...+... | provenance |  Sink:MaD:260 |
+| tst.go:57:14:57:35 | call to Get | tst.go:63:34:63:92 | ...+... | provenance |  Sink:MaD:261 |
+| tst.go:57:14:57:35 | call to Get | tst.go:64:29:64:87 | ...+... | provenance |  Sink:MaD:262 |
+| tst.go:57:14:57:35 | call to Get | tst.go:65:32:65:90 | ...+... | provenance |  Sink:MaD:263 |
+| tst.go:57:14:57:35 | call to Get | tst.go:66:23:66:85 | ...+... | provenance |  Sink:MaD:265 |
+| tst.go:57:14:57:35 | call to Get | tst.go:67:22:67:84 | ...+... | provenance |  Sink:MaD:264 |
+| tst.go:72:14:72:19 | selection of Form | tst.go:72:14:72:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:72:14:72:35 | call to Get | tst.go:75:26:75:84 | ...+... | provenance |  Sink:MaD:254 |
+| tst.go:72:14:72:35 | call to Get | tst.go:76:29:76:87 | ...+... | provenance |  Sink:MaD:255 |
+| tst.go:72:14:72:35 | call to Get | tst.go:77:30:77:88 | ...+... | provenance |  Sink:MaD:256 |
+| tst.go:72:14:72:35 | call to Get | tst.go:78:33:78:91 | ...+... | provenance |  Sink:MaD:257 |
+| tst.go:83:14:83:19 | selection of Form | tst.go:83:14:83:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:83:14:83:35 | call to Get | tst.go:86:25:86:87 | ...+... | provenance |  Sink:MaD:456 |
+| tst.go:83:14:83:35 | call to Get | tst.go:87:26:87:88 | ...+... | provenance |  Sink:MaD:457 |
+| tst.go:92:14:92:19 | selection of Form | tst.go:92:14:92:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:92:14:92:35 | call to Get | tst.go:96:23:96:126 | ...+... | provenance |  Sink:MaD:323 |
+| tst.go:92:14:92:35 | call to Get | tst.go:97:24:97:127 | ...+... | provenance |  Sink:MaD:322 |
+| tst.go:92:14:92:35 | call to Get | tst.go:98:27:98:122 | ...+... | provenance |  Sink:MaD:324 |
+| tst.go:93:14:93:19 | selection of Form | tst.go:93:14:93:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:93:14:93:35 | call to Get | tst.go:96:23:96:126 | ...+... | provenance |  Sink:MaD:323 |
+| tst.go:93:14:93:35 | call to Get | tst.go:97:24:97:127 | ...+... | provenance |  Sink:MaD:322 |
+| tst.go:93:14:93:35 | call to Get | tst.go:98:27:98:122 | ...+... | provenance |  Sink:MaD:324 |
+| tst.go:106:14:106:19 | selection of Form | tst.go:106:14:106:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:106:14:106:35 | call to Get | tst.go:109:27:109:89 | ...+... | provenance |  Sink:MaD:556 |
+| tst.go:106:14:106:35 | call to Get | tst.go:110:28:110:90 | ...+... | provenance |  Sink:MaD:557 |
+| tst.go:115:14:115:19 | selection of Form | tst.go:115:14:115:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:115:14:115:35 | call to Get | tst.go:119:33:119:136 | ...+... | provenance |  Sink:MaD:483 |
+| tst.go:115:14:115:35 | call to Get | tst.go:120:18:120:121 | ...+... | provenance |  Sink:MaD:484 |
+| tst.go:115:14:115:35 | call to Get | tst.go:121:31:121:126 | ...+... | provenance |  Sink:MaD:485 |
+| tst.go:115:14:115:35 | call to Get | tst.go:122:21:122:116 | ...+... | provenance |  Sink:MaD:486 |
+| tst.go:115:14:115:35 | call to Get | tst.go:123:27:123:122 | ...+... | provenance |  Sink:MaD:487 |
+| tst.go:116:14:116:19 | selection of Form | tst.go:116:14:116:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:116:14:116:35 | call to Get | tst.go:119:33:119:136 | ...+... | provenance |  Sink:MaD:483 |
+| tst.go:116:14:116:35 | call to Get | tst.go:120:18:120:121 | ...+... | provenance |  Sink:MaD:484 |
+| tst.go:116:14:116:35 | call to Get | tst.go:121:31:121:126 | ...+... | provenance |  Sink:MaD:485 |
+| tst.go:116:14:116:35 | call to Get | tst.go:122:21:122:116 | ...+... | provenance |  Sink:MaD:486 |
+| tst.go:116:14:116:35 | call to Get | tst.go:123:27:123:122 | ...+... | provenance |  Sink:MaD:487 |
+| tst.go:139:14:139:19 | selection of Form | tst.go:139:14:139:35 | call to Get | provenance | Src:MaD:865 MaD:938 |
+| tst.go:139:14:139:35 | call to Get | tst.go:144:17:144:87 | type conversion | provenance |  Sink:MaD:515 |
 | tst.go:139:14:139:35 | call to Get | tst.go:145:41:145:103 | ...+... | provenance |  |
-| tst.go:139:14:139:35 | call to Get | tst.go:146:23:146:85 | ...+... | provenance |  |
-| tst.go:145:41:145:103 | ...+... | tst.go:145:23:145:104 | call to NewReader | provenance | MaD:999 |
+| tst.go:139:14:139:35 | call to Get | tst.go:146:23:146:85 | ...+... | provenance |  Sink:MaD:517 |
+| tst.go:145:41:145:103 | ...+... | tst.go:145:23:145:104 | call to NewReader | provenance | MaD:1034 Sink:MaD:516 |
 nodes
 | XPathInjection.go:13:14:13:19 | selection of Form | semmle.label | selection of Form |
 | XPathInjection.go:13:14:13:35 | call to Get | semmle.label | call to Get |