Golang: HTTP NewRequest not tainting result

[jason-invision]

It doesn't appear that HTTP NewRequest is tainting the resulting request.

For example,

	req, err := http.NewRequest("POST", url, body)

I had to add this additional taint step:

exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("net/http", "NewRequest")
      and pred = call.getAnArgument()
      and succ = call.getResult(0)
    )

[smowton]

As a general rule, I would disagree that the user having control over the request body implies they have control over the response, so long as I remain in control of the URL. If they have control of the URL on the other hand, I agree that makes the response dangerous. I'll add a rule specifically noting that tainted URL -> tainted response. Particular queries that are concerned about user control of the body but not the URL should add their own rule as you have here.

[smowton]

github/codeql-go#352