Don't flag header injection as XSS.

All results I have seen from this are uninteresting.
2026-05-03 12:45:27 +02:00 · 2019-11-25 13:06:39 +00:00
parent b21e4404b5
commit adf9764085
3 changed files with 3 additions and 5 deletions
--- a/change-notes/1.24/analysis-go.md
+++ b/change-notes/1.24/analysis-go.md
@@ -10,3 +10,4 @@

 | **Query**                                           | **Expected impact**          | **Change**                                                |
 |-----------------------------------------------------|------------------------------|-----------------------------------------------------------|
+| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition is no longer flagged, since this is often harmless. |
--- a/ql/src/semmle/go/security/ReflectedXssCustomizations.qll
+++ b/ql/src/semmle/go/security/ReflectedXssCustomizations.qll
@@ -51,11 +51,6 @@ module ReflectedXss {
    )
  }

-  /**
-   * An expression that is sent as part of an HTTP header, considered as an XSS sink.
-   */
-  class HttpResponseHeaderSink extends Sink, HTTP::Header { }
-
  /**
   * A third-party controllable input, considered as a flow source for reflected XSS.
   */
--- a/ql/test/query-tests/Security/CWE-079/contenttype.go
+++ b/ql/test/query-tests/Security/CWE-079/contenttype.go
@@ -26,6 +26,8 @@ func serve3() {
 		w.Header().Set("Content-Type", "text/plain")

 		w.Write([]byte(data)) // OK; no script can be executed from a `text/plain` context.
+
+		w.Header().Set("X-My-Custom-Header", data) // OK; injecting headers is not usually dangerous
 	})
 	http.ListenAndServe(":80", nil)
 }