From e1219480d8e22338c6dc85b977ac5cc9d95b9047 Mon Sep 17 00:00:00 2001
From: snoopywu <snoopywu@tencent.com>
Date: Sat, 13 Mar 2021 03:17:58 +0800
Subject: [PATCH 1/5] Add Transport.RoundTrip()

---
 .../semmle/go/frameworks/stdlib/NetHttp.qll   | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
index 575267c0f88..5917081b0c0 100644
--- a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -216,6 +216,35 @@ module NetHttp {
     }
   }
 
+  /** A call to the `Transport.RoundTrip` function in the `net/http` package. */
+  private class TransportRoundTrip extends HTTP::ClientRequest::Range, DataFlow::MethodCallNode {
+    TransportRoundTrip() {
+      this.getTarget().(Method).hasQualifiedName("net/http", "Transport", "RoundTrip")
+    }
+
+    override DataFlow::Node getUrl() {
+      // A URL passed to `NewRequest`, whose result is passed to this `RoundTrip` call
+      exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("net/http", "NewRequest") |
+        this.getArgument(0) = call.getResult(0).getASuccessor*() and
+        result = call.getArgument(1)
+      )
+      or
+      // A URL passed to `NewRequestWithContext`, whose result is passed to this `RoundTrip` call
+      exists(DataFlow::CallNode call |
+        call.getTarget().hasQualifiedName("net/http", "NewRequestWithContext")
+      |
+        this.getArgument(0) = call.getResult(0).getASuccessor*() and
+        result = call.getArgument(2)
+      )
+      or
+      // A URL assigned to a request that is passed to this `RoundTrip` call
+      exists(Write w, Field f |
+        f.hasQualifiedName("net/http", "Request", "URL") and
+        w.writesField(this.getArgument(0).getAPredecessor*(), f, result)
+      )
+    }
+  }
+
   /** Fields and methods of `net/http.Request` that are not generally exploitable in an open-redirect attack. */
   private class RedirectUnexploitableRequestFields extends HTTP::Redirect::UnexploitableSource {
     RedirectUnexploitableRequestFields() {

From 00f12f921069e417d778879b1066bcbaa3e9fcfb Mon Sep 17 00:00:00 2001
From: sn00py <3022235906@qq.com>
Date: Tue, 16 Mar 2021 00:41:52 +0800
Subject: [PATCH 2/5] Update ql/src/semmle/go/frameworks/stdlib/NetHttp.qll

Co-authored-by: Sauyon Lee <sauyon@github.com>
---
 ql/src/semmle/go/frameworks/stdlib/NetHttp.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
index 5917081b0c0..6e4e86c3985 100644
--- a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -219,7 +219,7 @@ module NetHttp {
   /** A call to the `Transport.RoundTrip` function in the `net/http` package. */
   private class TransportRoundTrip extends HTTP::ClientRequest::Range, DataFlow::MethodCallNode {
     TransportRoundTrip() {
-      this.getTarget().(Method).hasQualifiedName("net/http", "Transport", "RoundTrip")
+      this.getTarget().hasQualifiedName("net/http", "Transport", "RoundTrip")
     }
 
     override DataFlow::Node getUrl() {

From cee30cfde412ed3e47f98ca09d78f5c23f2859e0 Mon Sep 17 00:00:00 2001
From: snoopywu <snoopywu@tencent.com>
Date: Tue, 16 Mar 2021 01:43:33 +0800
Subject: [PATCH 3/5] fix: autoformat

---
 ql/src/semmle/go/frameworks/stdlib/NetHttp.qll | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
index 6e4e86c3985..2a12e046bfb 100644
--- a/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -218,9 +218,7 @@ module NetHttp {
 
   /** A call to the `Transport.RoundTrip` function in the `net/http` package. */
   private class TransportRoundTrip extends HTTP::ClientRequest::Range, DataFlow::MethodCallNode {
-    TransportRoundTrip() {
-      this.getTarget().hasQualifiedName("net/http", "Transport", "RoundTrip")
-    }
+    TransportRoundTrip() { this.getTarget().hasQualifiedName("net/http", "Transport", "RoundTrip") }
 
     override DataFlow::Node getUrl() {
       // A URL passed to `NewRequest`, whose result is passed to this `RoundTrip` call

From 161ce911592fb372fab447143a683d262aad4192 Mon Sep 17 00:00:00 2001
From: snoopywu <3022235906@qq.com>
Date: Tue, 16 Mar 2021 23:51:26 +0800
Subject: [PATCH 4/5] Add changenote for #506

---
 change-notes/2021-03-16-nethttp-updated.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 change-notes/2021-03-16-nethttp-updated.md

diff --git a/change-notes/2021-03-16-nethttp-updated.md b/change-notes/2021-03-16-nethttp-updated.md
new file mode 100644
index 00000000000..f620368e8c1
--- /dev/null
+++ b/change-notes/2021-03-16-nethttp-updated.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added TransportRoundTrip in NetHttp.qll, it can performs an HTTP request to a URL.
\ No newline at end of file

From 22c31106021762b89768ebc3452db93385e8f7a2 Mon Sep 17 00:00:00 2001
From: sn00py <3022235906@qq.com>
Date: Thu, 18 Mar 2021 23:32:23 +0800
Subject: [PATCH 5/5] Update change-notes/2021-03-16-nethttp-updated.md

Co-authored-by: Sauyon Lee <sauyon@github.com>
---
 change-notes/2021-03-16-nethttp-updated.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/change-notes/2021-03-16-nethttp-updated.md b/change-notes/2021-03-16-nethttp-updated.md
index f620368e8c1..f9138f67f7a 100644
--- a/change-notes/2021-03-16-nethttp-updated.md
+++ b/change-notes/2021-03-16-nethttp-updated.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* Added TransportRoundTrip in NetHttp.qll, it can performs an HTTP request to a URL.
\ No newline at end of file
+* Added support for the `Transport.RoundTrip` method in `net/http`.