Go: Mark WebSocket reads as untrusted

CVE

This query has not been tested against all lgtm projects yet. So, there is no CVE found using this PR.

Report

This PR marks data read from a websocket connection as a source of untrusted input. It models the following golang packages.

1. gorilla websocket (11.7k stars)
2. golang/x/net/websocket (2.1k stars)
3. gobwas websocket (3.1k stars)
4. nhooyr.io websocket (1.3k stars)

Apart from these, the initial version of this PR also modelled the write functions. However, since there were concerns with the false positives which may have increased due to them, the writes were removed leaving only the reads.

This PR includes library as well as query tests, the qhelp file along with well documented code.

Link to the PR:[github/codeql-go#109]

[xcorail]

Hi @porcupineyhairs ,

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program, as it doesn't by itself detect bugs, but supports other such queries. As stated in our official rules,

Queries must meet at least the requirements for experimental queries, including at least one useful result on some revision of a real project.

This improvement to the taint tracking library is however very useful, including for the rest of the community, and we'll make sure to take this submission into account when we score your other submissions that depend on this one.

Best regards and happy hacking!