Convert reflected xss sanitizer to MaD

Author: owen-mc

go/ql/lib/ext/net.http.model.yml

@@ -7,6 +7,12 @@ extensions:
       - ["net/http", "", False, "ServeFile", "", "", "Argument[2]", "path-injection", "manual"]
       # url-redirection
       - ["net/http", "", False, "Redirect", "", "", "Argument[2]", "url-redirection[0]", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      # Returns the request cookie, which is not user controlled in reflected XSS context.
+      - ["net/http", "Request", False, "Cookie", "", "", "ReturnValue[0]", "reflected-xss", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel

go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll

@@ -4,6 +4,7 @@
 
 import go
 import Xss
+private import semmle.go.dataflow.ExternalFlow
 
 /**
  * Provides extension points for customizing the taint-tracking configuration for reasoning about
@@ -22,16 +23,8 @@ module ReflectedXss {
   /** A shared XSS sanitizer as a sanitizer for reflected XSS. */
   private class SharedXssSanitizer extends Sanitizer instanceof SharedXss::Sanitizer { }
 
-  /**
-   * A request.Cookie method returns the request cookie, which is not user controlled in reflected XSS context.
-   */
-  class CookieSanitizer extends Sanitizer {
-    CookieSanitizer() {
-      exists(Method m, DataFlow::CallNode call | call = m.getACall() |
-        m.hasQualifiedName("net/http", "Request", "Cookie") and
-        this = call.getResult(0)
-      )
-    }
+  private class DefaultSanitizer extends Sanitizer {
+    DefaultSanitizer() { barrierNode(this, "reflected-xss") }
   }
 
   /**