Golang : Add Email Content Injection query

CVE

The final version of this query has not been tested against all lgtm projects.
However, a run of a draft version of query against all lgtm databases found two alerts both of them valid. I haven't reported them yet. Hence, I am not listing them here.

Report

Using untrusted input to construct an email can cause multiple security
vulnerabilities. For instance, inclusion of an untrusted input in an email body
may allow an attacker to conduct Cross Site Scripting (XSS) attacks, while
inclusion of an HTTP header may allow a full account compromise as shown in the
example below.

func mail(w http.ResponseWriter, r *http.Request) {
	host := r.Header.Get("Host")
	token := backend.getUserSecretResetToken(email)
	body := "Click to reset password: " + host + "/" + token
	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
}

This query detects instances where untrusted content is written to an email. It models the Golang's net/smtp library as well as the Sendgrid library (581 stars)

I also include library-tests, query-tests and qhelp files along with well documented code.

Link to the now merged PR:[github/codeql-go#108]

[xcorail]

Created Hackerone report 892465 for bounty 221542 : [66] CodeQL query to detect JNDI injections
🎉
Waiting for the author to ask for disclosure