From c7b16a043e78ed2696fc7400096fee3aa2f87df8 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 19 Nov 2025 06:01:30 +0000
Subject: [PATCH] Address reviews - update comments, remove unneeded stubs

---
 go/ql/lib/semmle/go/concepts/HTTP.qll         |  8 +-
 .../go/security/CookieWithoutHttpOnly.qll     |  2 +-
 .../go/security/CookieWithoutSecure.qll       |  2 +-
 .../github.com/gorilla/sessions/stub.go       | 75 -------------------
 .../Security/CWE-1004/vendor/modules.txt      |  3 -
 .../github.com/gorilla/sessions/stub.go       | 75 -------------------
 .../Security/CWE-614/vendor/modules.txt       |  3 -
 7 files changed, 6 insertions(+), 162 deletions(-)
 delete mode 100644 go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
 delete mode 100644 go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go

diff --git a/go/ql/lib/semmle/go/concepts/HTTP.qll b/go/ql/lib/semmle/go/concepts/HTTP.qll
index 12ec551696a..479cc19bfcc 100644
--- a/go/ql/lib/semmle/go/concepts/HTTP.qll
+++ b/go/ql/lib/semmle/go/concepts/HTTP.qll
@@ -427,10 +427,10 @@ module Http {
   /** Provides a class for modeling the new APIs for writes to options of an HTTP cookie. */
   module CookieOptionWrite {
     /**
-     * A write to an HTTP cookie object.
+     * A write to an option of an HTTP cookie object.
      *
      * Extend this class to model new APIs. If you want to refine existing API models,
-     * extend `HTTP::CookieOptions` instead.
+     * extend `HTTP::CookieOptionWrite` instead.
      */
     abstract class Range extends DataFlow::Node {
       /** Gets the node representing the cookie object for the options being set. */
@@ -451,10 +451,10 @@ module Http {
   }
 
   /**
-   * A write to an HTTP cookie object.
+   * A write to an option of an HTTP cookie object.
    *
    * Extend this class to refine existing API models. If you want to model new APIs,
-   * extend `HTTP::CookieOptions::Range` instead.
+   * extend `HTTP::CookieOptionWrite::Range` instead.
    */
   class CookieOptionWrite extends DataFlow::Node instanceof CookieOptionWrite::Range {
     /** Gets the node representing the cookie object for the options being set. */
diff --git a/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll b/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
index 915a58ef369..8eed50b8791 100644
--- a/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
+++ b/go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
@@ -48,7 +48,7 @@ module BooleanCookieHttpOnlyFlow = TaintTracking::Global<BooleanCookieHttpOnlyCo
 
 /** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */
 predicate isNonHttpOnlyDefault(Http::CookieWrite cw) {
-  not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly())
+  not BooleanCookieHttpOnlyFlow::flowTo(cw.getHttpOnly())
 }
 
 /** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */
diff --git a/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll b/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
index 86d65ca5c0f..1ba5315bf8b 100644
--- a/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
+++ b/go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
@@ -21,7 +21,7 @@ module BooleanCookieSecureFlow = TaintTracking::Global<BooleanCookieSecureConfig
 
 /** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */
 predicate isInsecureDefault(Http::CookieWrite cw) {
-  not BooleanCookieSecureFlow::flow(_, cw.getSecure())
+  not BooleanCookieSecureFlow::flowTo(cw.getSecure())
 }
 
 /** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */
diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
deleted file mode 100644
index 2ebc3858163..00000000000
--- a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
+++ /dev/null
@@ -1,75 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
-
-// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
-package sessions
-
-import (
-	http "net/http"
-)
-
-type CookieStore struct {
-	Codecs  []interface{}
-	Options *Options
-}
-
-func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) MaxAge(_ int) {}
-
-func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
-	return nil
-}
-
-func NewCookieStore(_ ...[]byte) *CookieStore {
-	return nil
-}
-
-type Options struct {
-	Path     string
-	Domain   string
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	SameSite http.SameSite
-}
-
-type Session struct {
-	ID      string
-	Values  map[interface{}]interface{}
-	Options *Options
-	IsNew   bool
-}
-
-func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
-
-func (_ *Session) Flashes(_ ...string) []interface{} {
-	return nil
-}
-
-func (_ *Session) Name() string {
-	return ""
-}
-
-func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
-	return nil
-}
-
-func (_ *Session) Store() Store {
-	return nil
-}
-
-type Store interface {
-	Get(_ *http.Request, _ string) (*Session, error)
-	New(_ *http.Request, _ string) (*Session, error)
-	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
-}
diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt
index f38695b1ffc..e80eedb5cae 100644
--- a/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt
@@ -1,6 +1,3 @@
 # github.com/gin-gonic/gin v1.7.1
 ## explicit
 github.com/gin-gonic/gin
-# github.com/gorilla/sessions v1.2.1
-## explicit
-github.com/gorilla/sessions
diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go
deleted file mode 100644
index 2ebc3858163..00000000000
--- a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go
+++ /dev/null
@@ -1,75 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
-
-// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
-package sessions
-
-import (
-	http "net/http"
-)
-
-type CookieStore struct {
-	Codecs  []interface{}
-	Options *Options
-}
-
-func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) MaxAge(_ int) {}
-
-func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
-	return nil
-}
-
-func NewCookieStore(_ ...[]byte) *CookieStore {
-	return nil
-}
-
-type Options struct {
-	Path     string
-	Domain   string
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	SameSite http.SameSite
-}
-
-type Session struct {
-	ID      string
-	Values  map[interface{}]interface{}
-	Options *Options
-	IsNew   bool
-}
-
-func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
-
-func (_ *Session) Flashes(_ ...string) []interface{} {
-	return nil
-}
-
-func (_ *Session) Name() string {
-	return ""
-}
-
-func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
-	return nil
-}
-
-func (_ *Session) Store() Store {
-	return nil
-}
-
-type Store interface {
-	Get(_ *http.Request, _ string) (*Session, error)
-	New(_ *http.Request, _ string) (*Session, error)
-	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
-}
diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt
index f38695b1ffc..e80eedb5cae 100644
--- a/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt
@@ -1,6 +1,3 @@
 # github.com/gin-gonic/gin v1.7.1
 ## explicit
 github.com/gin-gonic/gin
-# github.com/gorilla/sessions v1.2.1
-## explicit
-github.com/gorilla/sessions