net/url package. Parse() returns a *url.URL from a string — source of taint when parsing user-supplied URLs. Used in SSRF detection for URL validation.
.Parse()SanitizerParse(rawURL string) (*URL, error)
Parses raw URL. Sanitizer when result host is validated against allowlist.
.PathEscape()SanitizerPathEscape(s string) string
Escapes string for use in URL path segment. Sanitizes path injection.
.QueryEscape()SanitizerQueryEscape(s string) string
Escapes string for use in URL query. Sanitizes injection via encoding.
.QueryUnescape()NeutralQueryUnescape(s string) (string, error)
Decodes percent-encoded string. Returns decoded tainted data.
| FQN | Field | |
|---|---|---|
| net/url | fqns[0] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
// standard library — no go.mod entry required
from codepathfinder.go_rule import GoNetURL