Go: Add Rs Cors Support

[Kwstubbs]

Add RsCors support to CodeQL CorsMisconfiguration.ql

[owen-mc]

Suggested change

	/**
	* Provides abstract class for modeling the Go CORS handler model origin write.
	*/
	/**
	* A Go CORS handler model origin write.
	*/

[owen-mc]

The abstract classes should not be in RsCors.qll. I'd either put them in go/ql/lib/semmle/go/Concepts.qll or in a new file in go/ql/lib/semmle/go/concepts/ which you then import in go/ql/lib/semmle/go/Concepts.qll.

[owen-mc]

Suggested change

	/**
	* Provides abstract class for modeling the Go CORS handler model origin write.
	*/
	/**
	* A Go CORS handler model origin write.
	*/

[owen-mc]

Actually, since these abstract classes are only used by this one query, they shouldn't go in concepts (which is more meant for abstract classes that are used by multiple queries, I think). And I also didn't notice that this query is still in experimental. That makes it difficult to know where to put them. Maybe where they are is good enough for now. Do you think the query should be promoted?

[owen-mc]

This isn't actually correct: if v is a.b.c then this is the Variable a and the thing that has type Options is a.b.c. I didn't notice this when you originally modeled GinCors. Can I ask why you are doing it this way? Is there a particular case where just using Variable or just using SsaWithFields doesn't work?

[owen-mc]

Looking at it more carefully, I see that, because of the way that they are modeled, RsOptions and GinConfig are confined to be local variables defined in functions. Is that what you intended? Might you ever want to reason about one that is defined at package scope?