From 7121282b27184a48880ebed9e72238126cb8591c Mon Sep 17 00:00:00 2001
From: Malayke <Malayke@users.noreply.github.com>
Date: Mon, 11 Dec 2023 23:05:04 +0800
Subject: [PATCH 1/8] add new query for detect DOS

---
 .../CWE-770/DenialOfService.qhelp             | 32 +++++++
 .../experimental/CWE-770/DenialOfService.ql   | 64 +++++++++++++
 .../CWE-770/DenialOfServiceBad.go             | 27 ++++++
 .../CWE-770/DenialOfServiceGood.go            | 30 ++++++
 .../CWE-770/DenialOfService.expected          | 18 ++++
 .../CWE-770/DenialOfService.qlref             |  1 +
 .../CWE-770/DenialOfServiceBad.go             | 27 ++++++
 .../CWE-770/DenialOfServiceGood.go            | 94 +++++++++++++++++++
 8 files changed, 293 insertions(+)
 create mode 100644 go/ql/src/experimental/CWE-770/DenialOfService.qhelp
 create mode 100644 go/ql/src/experimental/CWE-770/DenialOfService.ql
 create mode 100644 go/ql/src/experimental/CWE-770/DenialOfServiceBad.go
 create mode 100644 go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
 create mode 100644 go/ql/test/experimental/CWE-770/DenialOfService.expected
 create mode 100644 go/ql/test/experimental/CWE-770/DenialOfService.qlref
 create mode 100644 go/ql/test/experimental/CWE-770/DenialOfServiceBad.go
 create mode 100644 go/ql/test/experimental/CWE-770/DenialOfServiceGood.go

diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.qhelp b/go/ql/src/experimental/CWE-770/DenialOfService.qhelp
new file mode 100644
index 000000000000..b91f1f7e3b06
--- /dev/null
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+
+<qhelp>
+  <overview>
+    <p>Using untrusted input to created with the built-in make function 
+      could lead to excessive memory allocation and potentially cause the program to crash due 
+      to running out of memory. This vulnerability could be exploited to perform a DoS attack by consuming all available server resources.</p>
+  </overview>
+
+  <recommendation>
+    <p>Implement a maximum allowed value for creates a slice with the built-in make function to prevent excessively large allocations. 
+    For instance, you could restrict it to a reasonable upper limit.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following example snippet, the <code>n</code> field is user-controlled.</p>
+    <p> The server trusts that n has an acceptable value, however when using a maliciously large value, 
+      it allocates a slice of <code>n</code> of strings before filling the slice with data.</p>
+
+    <sample src="DenialOfServiceBad.go" />
+
+    <p>One way to prevent this vulnerability is by implementing a maximum allowed value for the user-controlled input:</p>
+
+    <sample src="DenialOfServiceGood.go" />
+  </example>
+
+  <references>
+    <li>
+      OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html">Denial of Service Cheat Sheet</a>
+    </li>
+  </references>
+</qhelp>
\ No newline at end of file
diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.ql b/go/ql/src/experimental/CWE-770/DenialOfService.ql
new file mode 100644
index 000000000000..95e4cb62bd7a
--- /dev/null
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.ql
@@ -0,0 +1,64 @@
+/**
+ * @name Denial Of Service
+ * @description slices created with the built-in make function from user-controlled sources using a
+ * maliciously large value possibly leading to a denial of service.
+ * @kind path-problem
+ * @problem.severity high
+ * @security-severity 9
+ * @id go/denial-of-service
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-770
+ */
+
+import go
+
+class BuiltInMake extends DataFlow::Node {
+  BuiltInMake() { this = Builtin::make().getACall().getArgument(0) }
+}
+
+/**
+ * Holds if `g` is a barrier-guard which checks `e` is nonzero on `branch`.
+ */
+predicate denialOfServiceSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
+  exists(DataFlow::Node lesser |
+    e = lesser.asExpr() and
+    g.(DataFlow::RelationalComparisonNode).leq(branch, lesser, _, _)
+  )
+  or
+  exists(LogicalBinaryExpr lbe, DataFlow::Node lesser |
+    lbe.getAnOperand() = g.(DataFlow::RelationalComparisonNode).asExpr() and
+    e = lesser.asExpr() and
+    g.(DataFlow::RelationalComparisonNode).leq(branch, lesser, _, _)
+  )
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Function f, DataFlow::CallNode cn | cn = f.getACall() |
+      f.hasQualifiedName("strconv", ["Atoi", "ParseInt", "ParseUint", "ParseFloat"]) and
+      node1 = cn.getArgument(0) and
+      node2 = cn.getResult(0)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node = DataFlow::BarrierGuard<denialOfServiceSanitizerGuard/3>::getABarrierNode()
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof BuiltInMake }
+}
+
+/**
+ * Tracks taint flow for reasoning about denial of service, where source is
+ * user-controlled and unchecked.
+ */
+module Flow = TaintTracking::Global<Config>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink, source, sink, "This variable might be leading to denial of service."
diff --git a/go/ql/src/experimental/CWE-770/DenialOfServiceBad.go b/go/ql/src/experimental/CWE-770/DenialOfServiceBad.go
new file mode 100644
index 000000000000..b3a57d4f5e10
--- /dev/null
+++ b/go/ql/src/experimental/CWE-770/DenialOfServiceBad.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+func OutOfMemoryBad(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+
+	queryStr := query.Get("n")
+	collectionSize, err := strconv.Atoi(queryStr)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	result := make([]string, collectionSize)
+	for i := 0; i < collectionSize; i++ {
+		result[i] = fmt.Sprintf("Item %d", i+1)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(result)
+}
diff --git a/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go b/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
new file mode 100644
index 000000000000..2b833b3b6d99
--- /dev/null
+++ b/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
@@ -0,0 +1,30 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+func OutOfMemoryGood(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	MaxValue := 6
+	queryStr := query.Get("n")
+	collectionSize, err := strconv.Atoi(queryStr)
+	if err != nil || collectionSize < 0 {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	if collectionSize > MaxValue {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	result := make([]string, collectionSize)
+	for i := 0; i < collectionSize; i++ {
+		result[i] = fmt.Sprintf("Item %d", i+1)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(result)
+}
diff --git a/go/ql/test/experimental/CWE-770/DenialOfService.expected b/go/ql/test/experimental/CWE-770/DenialOfService.expected
new file mode 100644
index 000000000000..2e54b95447d3
--- /dev/null
+++ b/go/ql/test/experimental/CWE-770/DenialOfService.expected
@@ -0,0 +1,18 @@
+edges
+| DenialOfServiceBad.go:11:12:11:16 | selection of URL | DenialOfServiceBad.go:11:12:11:24 | call to Query |
+| DenialOfServiceBad.go:11:12:11:24 | call to Query | DenialOfServiceBad.go:13:15:13:20 | source |
+| DenialOfServiceBad.go:13:15:13:20 | source | DenialOfServiceBad.go:13:15:13:29 | call to Get |
+| DenialOfServiceBad.go:13:15:13:29 | call to Get | DenialOfServiceBad.go:14:28:14:36 | sourceStr |
+| DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | DenialOfServiceBad.go:20:27:20:30 | sink |
+| DenialOfServiceBad.go:14:28:14:36 | sourceStr | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] |
+nodes
+| DenialOfServiceBad.go:11:12:11:16 | selection of URL | semmle.label | selection of URL |
+| DenialOfServiceBad.go:11:12:11:24 | call to Query | semmle.label | call to Query |
+| DenialOfServiceBad.go:13:15:13:20 | source | semmle.label | source |
+| DenialOfServiceBad.go:13:15:13:29 | call to Get | semmle.label | call to Get |
+| DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | semmle.label | ... := ...[0] |
+| DenialOfServiceBad.go:14:28:14:36 | sourceStr | semmle.label | sourceStr |
+| DenialOfServiceBad.go:20:27:20:30 | sink | semmle.label | sink |
+subpaths
+#select
+| DenialOfServiceBad.go:20:27:20:30 | sink | DenialOfServiceBad.go:11:12:11:16 | selection of URL | DenialOfServiceBad.go:20:27:20:30 | sink | This variable might be leading to denial of service. |
diff --git a/go/ql/test/experimental/CWE-770/DenialOfService.qlref b/go/ql/test/experimental/CWE-770/DenialOfService.qlref
new file mode 100644
index 000000000000..e5896bb61dfb
--- /dev/null
+++ b/go/ql/test/experimental/CWE-770/DenialOfService.qlref
@@ -0,0 +1 @@
+experimental/CWE-770/DenialOfService.ql
\ No newline at end of file
diff --git a/go/ql/test/experimental/CWE-770/DenialOfServiceBad.go b/go/ql/test/experimental/CWE-770/DenialOfServiceBad.go
new file mode 100644
index 000000000000..2d61cdbdafc2
--- /dev/null
+++ b/go/ql/test/experimental/CWE-770/DenialOfServiceBad.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+func OutOfMemoryBad(w http.ResponseWriter, r *http.Request) {
+	source := r.URL.Query()
+
+	sourceStr := source.Get("n")
+	sink, err := strconv.Atoi(sourceStr)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	result := make([]string, sink)
+	for i := 0; i < sink; i++ {
+		result[i] = fmt.Sprintf("Item %d", i+1)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(result)
+}
diff --git a/go/ql/test/experimental/CWE-770/DenialOfServiceGood.go b/go/ql/test/experimental/CWE-770/DenialOfServiceGood.go
new file mode 100644
index 000000000000..a66edf74a830
--- /dev/null
+++ b/go/ql/test/experimental/CWE-770/DenialOfServiceGood.go
@@ -0,0 +1,94 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+func OutOfMemoryGood1(w http.ResponseWriter, r *http.Request) {
+	source := r.URL.Query()
+	MaxValue := 6
+	sourceStr := source.Get("n")
+	sink, err := strconv.Atoi(sourceStr)
+	if err != nil || sink < 0 {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	if sink > MaxValue {
+		return
+	}
+	result := make([]string, sink)
+	for i := 0; i < sink; i++ {
+		result[i] = fmt.Sprintf("Item %d", i+1)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(result)
+}
+
+func OutOfMemoryGood2(w http.ResponseWriter, r *http.Request) {
+	source := r.URL.Query()
+	MaxValue := 6
+	sourceStr := source.Get("n")
+	sink, err := strconv.Atoi(sourceStr)
+	if err != nil || sink < 0 {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	if sink <= MaxValue {
+		result := make([]string, sink)
+		for i := 0; i < sink; i++ {
+			result[i] = fmt.Sprintf("Item %d", i+1)
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(result)
+	}
+}
+
+func OutOfMemoryGood3(w http.ResponseWriter, r *http.Request) {
+	source := r.URL.Query()
+	MaxValue := 6
+	sourceStr := source.Get("n")
+	sink, err := strconv.Atoi(sourceStr)
+	if err != nil || sink < 0 {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	if sink > MaxValue {
+		sink = MaxValue
+		result := make([]string, sink)
+		for i := 0; i < sink; i++ {
+			result[i] = fmt.Sprintf("Item %d", i+1)
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(result)
+	}
+}
+
+func OutOfMemoryGood4(w http.ResponseWriter, r *http.Request) {
+	source := r.URL.Query()
+	MaxValue := 6
+	sourceStr := source.Get("n")
+	sink, err := strconv.Atoi(sourceStr)
+	if err != nil || sink < 0 {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+	if sink > MaxValue {
+		sink = MaxValue
+	} else {
+		tmp := sink
+		sink = tmp
+	}
+	result := make([]string, sink)
+	for i := 0; i < sink; i++ {
+		result[i] = fmt.Sprintf("Item %d", i+1)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(result)
+}

From 7072ab936421beda2d2ac94ea72cc46457d3a65f Mon Sep 17 00:00:00 2001
From: Malayke <Malayke@users.noreply.github.com>
Date: Sun, 3 Mar 2024 18:09:33 +0800
Subject: [PATCH 2/8] Update
 go/ql/src/experimental/CWE-770/DenialOfServiceGood.go

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
---
 go/ql/src/experimental/CWE-770/DenialOfServiceGood.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go b/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
index 2b833b3b6d99..761501064f6e 100644
--- a/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
+++ b/go/ql/src/experimental/CWE-770/DenialOfServiceGood.go
@@ -12,11 +12,11 @@ func OutOfMemoryGood(w http.ResponseWriter, r *http.Request) {
 	MaxValue := 6
 	queryStr := query.Get("n")
 	collectionSize, err := strconv.Atoi(queryStr)
-	if err != nil || collectionSize < 0 {
-		http.Error(w, "Bad request", http.StatusBadRequest)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	if collectionSize > MaxValue {
+	if collectionSize < 0 || collectionSize > MaxValue {
 		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}

From 72e6853792c034fac91f1e0859a9f1e76031604d Mon Sep 17 00:00:00 2001
From: Merdan Aziz <merdan.aziz@coins.ph>
Date: Sun, 3 Mar 2024 20:36:43 +0800
Subject: [PATCH 3/8] address the review comments

---
 .../experimental/CWE-770/DenialOfService.ql   | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.ql b/go/ql/src/experimental/CWE-770/DenialOfService.ql
index 95e4cb62bd7a..44cf9a2658b9 100644
--- a/go/ql/src/experimental/CWE-770/DenialOfService.ql
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.ql
@@ -13,26 +13,21 @@
 
 import go
 
-class BuiltInMake extends DataFlow::Node {
-  BuiltInMake() { this = Builtin::make().getACall().getArgument(0) }
-}
 
 /**
- * Holds if `g` is a barrier-guard which checks `e` is nonzero on `branch`.
+ * Class for defining a predicate to check for denial of service sanitizer guard.
  */
 predicate denialOfServiceSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
   exists(DataFlow::Node lesser |
     e = lesser.asExpr() and
-    g.(DataFlow::RelationalComparisonNode).leq(branch, lesser, _, _)
-  )
-  or
-  exists(LogicalBinaryExpr lbe, DataFlow::Node lesser |
-    lbe.getAnOperand() = g.(DataFlow::RelationalComparisonNode).asExpr() and
-    e = lesser.asExpr() and
-    g.(DataFlow::RelationalComparisonNode).leq(branch, lesser, _, _)
+    g.(DataFlow::RelationalComparisonNode).leq(branch, lesser, _, _) and
+    not e.isConst()
   )
 }
 
+/*
+ * Module for defining predicates and tracking taint flow related to denial of service issues.
+ */
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
@@ -48,7 +43,7 @@ module Config implements DataFlow::ConfigSig {
     node = DataFlow::BarrierGuard<denialOfServiceSanitizerGuard/3>::getABarrierNode()
   }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof BuiltInMake }
+  predicate isSink(DataFlow::Node sink) { sink = Builtin::make().getACall().getArgument(0) }
 }
 
 /**

From 910725939fd760cfa24ab5da73dcac4c192ea377 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Mon, 4 Mar 2024 13:06:23 +0000
Subject: [PATCH 4/8] Update QLDoc

---
 go/ql/src/experimental/CWE-770/DenialOfService.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.ql b/go/ql/src/experimental/CWE-770/DenialOfService.ql
index 44cf9a2658b9..520b2434c5af 100644
--- a/go/ql/src/experimental/CWE-770/DenialOfService.ql
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.ql
@@ -15,7 +15,7 @@ import go
 
 
 /**
- * Class for defining a predicate to check for denial of service sanitizer guard.
+ * Holds if the guard `g` on its branch `branch` checks that `e` is not constant and is less than some other value.
  */
 predicate denialOfServiceSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
   exists(DataFlow::Node lesser |

From 0bf0c069c68e9999179492add8f93f040ac01eae Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Mon, 4 Mar 2024 13:39:44 +0000
Subject: [PATCH 5/8] Fix formatting

---
 go/ql/src/experimental/CWE-770/DenialOfService.ql | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.ql b/go/ql/src/experimental/CWE-770/DenialOfService.ql
index 520b2434c5af..f1c2fcea0ac9 100644
--- a/go/ql/src/experimental/CWE-770/DenialOfService.ql
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.ql
@@ -13,7 +13,6 @@
 
 import go
 
-
 /**
  * Holds if the guard `g` on its branch `branch` checks that `e` is not constant and is less than some other value.
  */
@@ -25,7 +24,7 @@ predicate denialOfServiceSanitizerGuard(DataFlow::Node g, Expr e, boolean branch
   )
 }
 
-/*
+/**
  * Module for defining predicates and tracking taint flow related to denial of service issues.
  */
 module Config implements DataFlow::ConfigSig {

From 39a802fb98332458107c894cbc3859ed17ae5f81 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Mon, 4 Mar 2024 13:45:54 +0000
Subject: [PATCH 6/8] Add new columns to test expectations

---
 .../experimental/CWE-770/DenialOfService.expected    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/go/ql/test/experimental/CWE-770/DenialOfService.expected b/go/ql/test/experimental/CWE-770/DenialOfService.expected
index 2e54b95447d3..667bbda5c35d 100644
--- a/go/ql/test/experimental/CWE-770/DenialOfService.expected
+++ b/go/ql/test/experimental/CWE-770/DenialOfService.expected
@@ -1,10 +1,10 @@
 edges
-| DenialOfServiceBad.go:11:12:11:16 | selection of URL | DenialOfServiceBad.go:11:12:11:24 | call to Query |
-| DenialOfServiceBad.go:11:12:11:24 | call to Query | DenialOfServiceBad.go:13:15:13:20 | source |
-| DenialOfServiceBad.go:13:15:13:20 | source | DenialOfServiceBad.go:13:15:13:29 | call to Get |
-| DenialOfServiceBad.go:13:15:13:29 | call to Get | DenialOfServiceBad.go:14:28:14:36 | sourceStr |
-| DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | DenialOfServiceBad.go:20:27:20:30 | sink |
-| DenialOfServiceBad.go:14:28:14:36 | sourceStr | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] |
+| DenialOfServiceBad.go:11:12:11:16 | selection of URL | DenialOfServiceBad.go:11:12:11:24 | call to Query | provenance |  |
+| DenialOfServiceBad.go:11:12:11:24 | call to Query | DenialOfServiceBad.go:13:15:13:20 | source | provenance |  |
+| DenialOfServiceBad.go:13:15:13:20 | source | DenialOfServiceBad.go:13:15:13:29 | call to Get | provenance |  |
+| DenialOfServiceBad.go:13:15:13:29 | call to Get | DenialOfServiceBad.go:14:28:14:36 | sourceStr | provenance |  |
+| DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | DenialOfServiceBad.go:20:27:20:30 | sink | provenance |  |
+| DenialOfServiceBad.go:14:28:14:36 | sourceStr | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | provenance |  
 nodes
 | DenialOfServiceBad.go:11:12:11:16 | selection of URL | semmle.label | selection of URL |
 | DenialOfServiceBad.go:11:12:11:24 | call to Query | semmle.label | call to Query |

From c0974934bc7e834c7082da1ae9f03f5ab069d6a9 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Mon, 4 Mar 2024 14:05:04 +0000
Subject: [PATCH 7/8] Fix test expectations again

---
 go/ql/test/experimental/CWE-770/DenialOfService.expected | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go/ql/test/experimental/CWE-770/DenialOfService.expected b/go/ql/test/experimental/CWE-770/DenialOfService.expected
index 667bbda5c35d..4a2ae9d6646c 100644
--- a/go/ql/test/experimental/CWE-770/DenialOfService.expected
+++ b/go/ql/test/experimental/CWE-770/DenialOfService.expected
@@ -4,7 +4,7 @@ edges
 | DenialOfServiceBad.go:13:15:13:20 | source | DenialOfServiceBad.go:13:15:13:29 | call to Get | provenance |  |
 | DenialOfServiceBad.go:13:15:13:29 | call to Get | DenialOfServiceBad.go:14:28:14:36 | sourceStr | provenance |  |
 | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | DenialOfServiceBad.go:20:27:20:30 | sink | provenance |  |
-| DenialOfServiceBad.go:14:28:14:36 | sourceStr | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | provenance |  
+| DenialOfServiceBad.go:14:28:14:36 | sourceStr | DenialOfServiceBad.go:14:2:14:37 | ... := ...[0] | provenance |  |
 nodes
 | DenialOfServiceBad.go:11:12:11:16 | selection of URL | semmle.label | selection of URL |
 | DenialOfServiceBad.go:11:12:11:24 | call to Query | semmle.label | call to Query |

From 02bab4c15a643be32dec6208a5793376fbd0e4f8 Mon Sep 17 00:00:00 2001
From: Malayke <Malayke@users.noreply.github.com>
Date: Wed, 6 Mar 2024 17:57:20 +0800
Subject: [PATCH 8/8] Update go/ql/src/experimental/CWE-770/DenialOfService.ql

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
---
 go/ql/src/experimental/CWE-770/DenialOfService.ql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/go/ql/src/experimental/CWE-770/DenialOfService.ql b/go/ql/src/experimental/CWE-770/DenialOfService.ql
index f1c2fcea0ac9..199cd0df5520 100644
--- a/go/ql/src/experimental/CWE-770/DenialOfService.ql
+++ b/go/ql/src/experimental/CWE-770/DenialOfService.ql
@@ -3,8 +3,9 @@
  * @description slices created with the built-in make function from user-controlled sources using a
  * maliciously large value possibly leading to a denial of service.
  * @kind path-problem
- * @problem.severity high
+ * @problem.severity error
  * @security-severity 9
+ * @precision high
  * @id go/denial-of-service
  * @tags security
  *       experimental