Improve comments in test file

2025-12-16 16:53:25 +01:00 · 2025-10-01 11:00:09 +01:00
parent dd3f754cb3
commit c93852d87a
2 changed files with 106 additions and 110 deletions
--- a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected
+++ b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected
@@ -2,25 +2,26 @@
 | SafeUrlFlow.go:11:24:11:46 | ...+... | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:11:24:11:46 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:10:10:10:17 | selection of Host | here |
 | SafeUrlFlow.go:14:29:14:44 | call to String | SafeUrlFlow.go:13:13:13:19 | selection of URL | SafeUrlFlow.go:14:29:14:44 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:13:13:13:19 | selection of URL | here |
 | SafeUrlFlow.go:18:11:18:28 | call to String | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:18:11:18:28 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:10:10:10:17 | selection of Host | here |
-| SafeUrlFlow.go:49:24:49:57 | ...+... | SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:49:24:49:57 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:39:13:39:19 | selection of URL | here |
-| SafeUrlFlow.go:50:29:50:51 | ...+... | SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:50:29:50:51 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:39:13:39:19 | selection of URL | here |
-| SafeUrlFlow.go:51:11:51:38 | ...+... | SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:51:11:51:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:39:13:39:19 | selection of URL | here |
-| SafeUrlFlow.go:60:11:60:26 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:60:11:60:26 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:61:12:61:27 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:61:12:61:27 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:62:16:62:31 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:62:16:62:31 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:63:12:63:27 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:63:12:63:27 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:67:13:67:28 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:67:13:67:28 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:68:14:68:29 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:68:14:68:29 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:69:18:69:33 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:69:18:69:33 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:70:14:70:29 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:70:14:70:29 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:73:39:73:54 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:73:39:73:54 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:77:70:77:85 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:77:70:77:85 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:81:40:81:55 | call to String | SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:81:40:81:55 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:57:13:57:19 | selection of URL | here |
-| SafeUrlFlow.go:94:24:94:41 | call to String | SafeUrlFlow.go:87:14:87:21 | selection of Host | SafeUrlFlow.go:94:24:94:41 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:87:14:87:21 | selection of Host | here |
-| SafeUrlFlow.go:116:11:116:23 | reconstructed | SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:116:11:116:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:106:13:106:19 | selection of URL | here |
-| SafeUrlFlow.go:119:24:119:46 | ...+... | SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:119:24:119:46 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:106:13:106:19 | selection of URL | here |
-| SafeUrlFlow.go:120:29:120:54 | ...+... | SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:120:29:120:54 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:106:13:106:19 | selection of URL | here |
-| SafeUrlFlow.go:121:12:121:38 | ...+... | SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:121:12:121:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:106:13:106:19 | selection of URL | here |
+| SafeUrlFlow.go:47:24:47:57 | ...+... | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:47:24:47:57 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:37:13:37:19 | selection of URL | here |
+| SafeUrlFlow.go:48:29:48:51 | ...+... | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:48:29:48:51 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:37:13:37:19 | selection of URL | here |
+| SafeUrlFlow.go:49:11:49:38 | ...+... | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:49:11:49:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:37:13:37:19 | selection of URL | here |
+| SafeUrlFlow.go:58:11:58:26 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:58:11:58:26 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:59:12:59:27 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:59:12:59:27 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:60:16:60:31 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:60:16:60:31 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:61:12:61:27 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:61:12:61:27 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:65:13:65:28 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:65:13:65:28 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:66:14:66:29 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:66:14:66:29 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:67:18:67:33 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:67:18:67:33 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:68:14:68:29 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:68:14:68:29 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:71:39:71:54 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:71:39:71:54 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:75:70:75:85 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:75:70:75:85 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:79:40:79:55 | call to String | SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:79:40:79:55 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:55:13:55:19 | selection of URL | here |
+| SafeUrlFlow.go:90:24:90:41 | call to String | SafeUrlFlow.go:85:10:85:17 | selection of Host | SafeUrlFlow.go:90:24:90:41 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:85:10:85:17 | selection of Host | here |
+| SafeUrlFlow.go:111:11:111:23 | reconstructed | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:111:11:111:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
+| SafeUrlFlow.go:114:24:114:46 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:114:24:114:46 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
+| SafeUrlFlow.go:115:29:115:54 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:115:29:115:54 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
+| SafeUrlFlow.go:116:12:116:38 | ...+... | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:116:12:116:38 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
+| SafeUrlFlow.go:117:12:117:21 | opaquePart | SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:117:12:117:21 | opaquePart | A safe URL flows here from $@. | SafeUrlFlow.go:101:13:101:19 | selection of URL | here |
 edges
 | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:11:24:11:46 | ...+... | provenance | Sink:MaD:1 |
 | SafeUrlFlow.go:10:10:10:17 | selection of Host | SafeUrlFlow.go:17:19:17:22 | host | provenance |  |
@@ -28,38 +29,39 @@ edges
 | SafeUrlFlow.go:14:29:14:35 | baseURL | SafeUrlFlow.go:14:29:14:44 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:17:19:17:22 | host | SafeUrlFlow.go:18:11:18:19 | targetURL | provenance | Config |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | SafeUrlFlow.go:18:11:18:28 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:49:24:49:57 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
-| SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:50:29:50:51 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:39:13:39:19 | selection of URL | SafeUrlFlow.go:51:11:51:38 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:60:11:60:17 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:61:12:61:18 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:62:16:62:22 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:63:12:63:18 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:67:13:67:19 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:68:14:68:20 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:69:18:69:24 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:70:14:70:20 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:73:39:73:45 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:77:70:77:76 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | SafeUrlFlow.go:81:40:81:46 | baseURL | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:60:11:60:17 | baseURL | SafeUrlFlow.go:60:11:60:26 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:47:24:47:57 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
+| SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:48:29:48:51 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:49:11:49:38 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:58:11:58:17 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:59:12:59:18 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:60:16:60:22 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:61:12:61:18 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:65:13:65:19 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:66:14:66:20 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:67:18:67:24 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:68:14:68:20 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:71:39:71:45 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:75:70:75:76 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | SafeUrlFlow.go:79:40:79:46 | baseURL | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:58:11:58:17 | baseURL | SafeUrlFlow.go:58:11:58:26 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:59:12:59:18 | baseURL | SafeUrlFlow.go:59:12:59:27 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:60:16:60:22 | baseURL | SafeUrlFlow.go:60:16:60:31 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:61:12:61:18 | baseURL | SafeUrlFlow.go:61:12:61:27 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:62:16:62:22 | baseURL | SafeUrlFlow.go:62:16:62:31 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:63:12:63:18 | baseURL | SafeUrlFlow.go:63:12:63:27 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:67:13:67:19 | baseURL | SafeUrlFlow.go:67:13:67:28 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:65:13:65:19 | baseURL | SafeUrlFlow.go:65:13:65:28 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:66:14:66:20 | baseURL | SafeUrlFlow.go:66:14:66:29 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:67:18:67:24 | baseURL | SafeUrlFlow.go:67:18:67:33 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:68:14:68:20 | baseURL | SafeUrlFlow.go:68:14:68:29 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:69:18:69:24 | baseURL | SafeUrlFlow.go:69:18:69:33 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:70:14:70:20 | baseURL | SafeUrlFlow.go:70:14:70:29 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:73:39:73:45 | baseURL | SafeUrlFlow.go:73:39:73:54 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:77:70:77:76 | baseURL | SafeUrlFlow.go:77:70:77:85 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:81:40:81:46 | baseURL | SafeUrlFlow.go:81:40:81:55 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:87:14:87:21 | selection of Host | SafeUrlFlow.go:91:19:91:26 | safeHost | provenance |  |
-| SafeUrlFlow.go:91:19:91:26 | safeHost | SafeUrlFlow.go:94:24:94:32 | targetURL | provenance | Config |
-| SafeUrlFlow.go:94:24:94:32 | targetURL | SafeUrlFlow.go:94:24:94:41 | call to String | provenance | MaD:3 Sink:MaD:1 |
-| SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:116:11:116:23 | reconstructed | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:119:24:119:46 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
-| SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:120:29:120:54 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:106:13:106:19 | selection of URL | SafeUrlFlow.go:121:12:121:38 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:71:39:71:45 | baseURL | SafeUrlFlow.go:71:39:71:54 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:75:70:75:76 | baseURL | SafeUrlFlow.go:75:70:75:85 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:79:40:79:46 | baseURL | SafeUrlFlow.go:79:40:79:55 | call to String | provenance | MaD:3 |
+| SafeUrlFlow.go:85:10:85:17 | selection of Host | SafeUrlFlow.go:88:19:88:22 | host | provenance |  |
+| SafeUrlFlow.go:88:19:88:22 | host | SafeUrlFlow.go:90:24:90:32 | targetURL | provenance | Config |
+| SafeUrlFlow.go:90:24:90:32 | targetURL | SafeUrlFlow.go:90:24:90:41 | call to String | provenance | MaD:3 Sink:MaD:1 |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:111:11:111:23 | reconstructed | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:114:24:114:46 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:115:29:115:54 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:116:12:116:38 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | SafeUrlFlow.go:117:12:117:21 | opaquePart | provenance | Src:MaD:2  |
 models
 | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual |
 | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
@@ -73,40 +75,41 @@ nodes
 | SafeUrlFlow.go:17:19:17:22 | host | semmle.label | host |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | semmle.label | targetURL |
 | SafeUrlFlow.go:18:11:18:28 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:39:13:39:19 | selection of URL | semmle.label | selection of URL |
-| SafeUrlFlow.go:49:24:49:57 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:50:29:50:51 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:51:11:51:38 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:57:13:57:19 | selection of URL | semmle.label | selection of URL |
-| SafeUrlFlow.go:60:11:60:17 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:60:11:60:26 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:37:13:37:19 | selection of URL | semmle.label | selection of URL |
+| SafeUrlFlow.go:47:24:47:57 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:48:29:48:51 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:49:11:49:38 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:55:13:55:19 | selection of URL | semmle.label | selection of URL |
+| SafeUrlFlow.go:58:11:58:17 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:58:11:58:26 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:59:12:59:18 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:59:12:59:27 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:60:16:60:22 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:60:16:60:31 | call to String | semmle.label | call to String |
 | SafeUrlFlow.go:61:12:61:18 | baseURL | semmle.label | baseURL |
 | SafeUrlFlow.go:61:12:61:27 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:62:16:62:22 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:62:16:62:31 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:63:12:63:18 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:63:12:63:27 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:67:13:67:19 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:67:13:67:28 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:65:13:65:19 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:65:13:65:28 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:66:14:66:20 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:66:14:66:29 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:67:18:67:24 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:67:18:67:33 | call to String | semmle.label | call to String |
 | SafeUrlFlow.go:68:14:68:20 | baseURL | semmle.label | baseURL |
 | SafeUrlFlow.go:68:14:68:29 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:69:18:69:24 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:69:18:69:33 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:70:14:70:20 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:70:14:70:29 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:73:39:73:45 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:73:39:73:54 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:77:70:77:76 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:77:70:77:85 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:81:40:81:46 | baseURL | semmle.label | baseURL |
-| SafeUrlFlow.go:81:40:81:55 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:87:14:87:21 | selection of Host | semmle.label | selection of Host |
-| SafeUrlFlow.go:91:19:91:26 | safeHost | semmle.label | safeHost |
-| SafeUrlFlow.go:94:24:94:32 | targetURL | semmle.label | targetURL |
-| SafeUrlFlow.go:94:24:94:41 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:106:13:106:19 | selection of URL | semmle.label | selection of URL |
-| SafeUrlFlow.go:116:11:116:23 | reconstructed | semmle.label | reconstructed |
-| SafeUrlFlow.go:119:24:119:46 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:120:29:120:54 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:121:12:121:38 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:71:39:71:45 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:71:39:71:54 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:75:70:75:76 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:75:70:75:85 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:79:40:79:46 | baseURL | semmle.label | baseURL |
+| SafeUrlFlow.go:79:40:79:55 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:85:10:85:17 | selection of Host | semmle.label | selection of Host |
+| SafeUrlFlow.go:88:19:88:22 | host | semmle.label | host |
+| SafeUrlFlow.go:90:24:90:32 | targetURL | semmle.label | targetURL |
+| SafeUrlFlow.go:90:24:90:41 | call to String | semmle.label | call to String |
+| SafeUrlFlow.go:101:13:101:19 | selection of URL | semmle.label | selection of URL |
+| SafeUrlFlow.go:111:11:111:23 | reconstructed | semmle.label | reconstructed |
+| SafeUrlFlow.go:114:24:114:46 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:115:29:115:54 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:116:12:116:38 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:117:12:117:21 | opaquePart | semmle.label | opaquePart |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go
+++ b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go
@@ -8,30 +8,28 @@ import (

 func testStdlibSources(w http.ResponseWriter, req *http.Request) {
 	host := req.Host                                                 // $ Source
-	http.Redirect(w, req, "https://"+host+"/safe", http.StatusFound) // $ Alert
+	http.Redirect(w, req, "https://"+host+"/path", http.StatusFound) // $ Alert

 	baseURL := req.URL                           // $ Source
 	w.Header().Set("Location", baseURL.String()) // $ Alert

 	targetURL := url.URL{}
-	targetURL.Host = host        // propagation to URL when Host is assigned
+	targetURL.Host = host        // additional flow step from Host field to URL struct
 	http.Get(targetURL.String()) // $ Alert
 }

-func testSanitizerEdge1(w http.ResponseWriter, req *http.Request) {
+func testBarrierEdge1(w http.ResponseWriter, req *http.Request) {
 	baseURL := req.URL

-	// SanitizerEdge: Query method call (unsafe URL method - breaks flow)
-	query := baseURL.Query()                                       // sanitizer edge blocks flow here
+	query := baseURL.Query()                                       // barrier edge blocks flow here
 	http.Redirect(w, req, query.Get("redirect"), http.StatusFound) // no flow expected
 }

-func testSanitizerEdge2(w http.ResponseWriter, req *http.Request) {
+func testBarrierEdge2(w http.ResponseWriter, req *http.Request) {
 	baseURL := req.URL

-	// SanitizerEdge: String slicing (breaks flow)
 	urlString := baseURL.String()
-	sliced := urlString[0:10]          // sanitizer edge blocks flow here
+	sliced := urlString[0:10]          // barrier edge (string slicing) blocks flow here
 	w.Header().Set("Location", sliced) // no flow expected
 }

@@ -42,12 +40,12 @@ func testFieldReads(w http.ResponseWriter, req *http.Request) {
 	scheme := baseURL.Scheme     // should preserve flow
 	host := baseURL.Host         // should preserve flow
 	path := baseURL.Path         // should preserve flow
-	fragment := baseURL.Fragment // should preserve flow
-	user := baseURL.User         // should preserve flow (but unsafe field)
+	fragment := baseURL.Fragment // should not preserve flow
+	user := baseURL.User         // should not preserve flow

 	// These should still have flow (not sanitized)
 	http.Redirect(w, req, "https://"+scheme+"://example.com", http.StatusFound) // $ Alert
-	w.Header().Set("Location", "https://"+host+"/safe")                         // $ Alert
+	w.Header().Set("Location", "https://"+host+"/path")                         // $ Alert
 	http.Get("https://example.com" + path)                                      // $ Alert
 	http.Get(fragment)
 	http.Get(user.String())
@@ -84,28 +82,25 @@ func testRequestForgerySinks(req *http.Request) {
 }

 func testHostFieldAssignmentFlow(w http.ResponseWriter, req *http.Request) {
-	safeHost := req.Host // $ Source
+	host := req.Host // $ Source

-	// Test additional flow step: propagation when Host field is assigned
 	targetURL, _ := url.Parse("http://example.com/data")
-	targetURL.Host = safeHost // additional flow step from SafeUrlFlow config
+	targetURL.Host = host // additional flow step from Host field to URL struct

-	// Flow should propagate to the whole URL after Host assignment
 	http.Redirect(w, req, targetURL.String(), http.StatusFound) // $ Alert
 }

 func testHostFieldOverwritten(w http.ResponseWriter, req *http.Request) {
 	baseURL := req.URL

-	// Flow should be blocked when Host is overwritten
-	baseURL.Host = "something.else.com"
+	baseURL.Host = "something.else.com" // barrier edge (Host field overwritten) blocks flow here
 	http.Get(baseURL.String())
 }

 func testFieldAccess(w http.ResponseWriter, req *http.Request) {
 	baseURL := req.URL // $ Source

-	// Safe field accesses that should preserve flow
+	// These field accesses should preserve flow
 	host := baseURL.Host
 	path := baseURL.Path
 	scheme := baseURL.Scheme
@@ -119,20 +114,18 @@ func testFieldAccess(w http.ResponseWriter, req *http.Request) {
 	http.Redirect(w, req, "https://"+host+"/path", http.StatusFound) // $ Alert
 	w.Header().Set("Location", "https://example.com"+path)           // $ Alert
 	http.Post(scheme+"://example.com/api", "application/json", nil)  // $ Alert
-	use(opaquePart)                                                  // avoid unused variable warning
+	http.Post(opaquePart, "application/json", nil)                   // $ Alert

-	// Unsafe field accesses that should be sanitized by UnsafeFieldReadSanitizer
-	// These read unsafe URL fields and should NOT have flow
-	unsafeUser := baseURL.User         // sanitizer edge (User field)
-	unsafeQuery := baseURL.RawQuery    // sanitizer edge (RawQuery field)
-	unsafeFragment := baseURL.Fragment // sanitizer edge (Fragment field)
+	// These field accesses should block flow
+	user := baseURL.User         // barrier edge (User field)
+	query := baseURL.RawQuery    // barrier edge (RawQuery field)
+	fragment := baseURL.Fragment // barrier edge (Fragment field)

-	// These should NOT have flow due to sanitizer edges
-	if unsafeUser != nil {
-		http.Redirect(w, req, unsafeUser.String(), http.StatusFound) // no flow expected
+	if user != nil {
+		http.Redirect(w, req, user.String(), http.StatusFound) // no flow expected
 	}
-	w.Header().Set("Location", "https://example.com/?"+unsafeQuery) // no flow expected
-	http.Get("https://example.com/#" + unsafeFragment)              // no flow expected
+	w.Header().Set("Location", "https://example.com/?"+query) // no flow expected
+	http.Get("https://example.com/#" + fragment)              // no flow expected
 }

 // Helper function to avoid unused variable warnings