GoNetHTTP

Package-level net/http functions: Get(), Post(), Head(). SSRF sinks when the URL argument is derived from user input.

4 sinks

Taint flow0 sources → 4 sinks

Sinks — dangerous call

.Get()Package-level HTTP GET

.Post()Package-level HTTP POST

.Head()Package-level HTTP HEAD

.Redirect()Sends redirect response

Sinks

— dangerous functions taint must not reach

.Get()Sink

Signature

Get(url string) (*Response, error)

Package-level HTTP GET. SSRF sink when url is user-controlled.

tracks:0

.Post()Sink

Signature

Post(url, contentType string, body io.Reader) (*Response, error)

Package-level HTTP POST. SSRF sink when url is user-controlled.

tracks:0

.Head()Sink

Signature

Head(url string) (*Response, error)

Package-level HTTP HEAD. SSRF sink.

tracks:0

.Redirect()Sink

Signature

Redirect(w ResponseWriter, r *Request, url string, code int)

Sends redirect response. Open redirect sink when url is user-controlled.

tracks:2

FQN	Field
net/http	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoNetHTTP