From d41e6a9d85c8bb14322e066033ca13934012e6cc Mon Sep 17 00:00:00 2001
From: Aditya Sharad <adityasharad@github.com>
Date: Fri, 20 Mar 2020 13:55:44 -0700
Subject: [PATCH] Model HTTP request functions in `net/http` package.

---
 ql/src/semmle/go/frameworks/HTTP.qll | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/ql/src/semmle/go/frameworks/HTTP.qll b/ql/src/semmle/go/frameworks/HTTP.qll
index d16e9df2a41..20da009e8d1 100644
--- a/ql/src/semmle/go/frameworks/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -147,4 +147,21 @@ private module StdlibHttp {
 
     override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
   }
+
+  /** A call to a function in the `net/http` package that performs an HTTP request to a URL. */
+  private class RequestCall extends HTTP::ClientRequest::Range, DataFlow::CallNode {
+    RequestCall() {
+      exists(string functionName |
+        (
+          this.getTarget().hasQualifiedName("net/http", functionName)
+          or
+          this.getTarget().(Method).hasQualifiedName("net/http", "Client", functionName)
+        ) and
+        (functionName = "Get" or functionName = "Post" or functionName = "PostForm")
+      )
+    }
+
+    /** Gets the URL of the request. */
+    override DataFlow::Node getUrl() { result = this.getArgument(0) }
+  }
 }