github
diff --git a/‎change-notes/1.24/analysis-go.md
+1 b/‎change-notes/1.24/analysis-go.md
+1
diff --git a/‎ql/src/experimental/Security/CWE-643/XPathInjection.go renamed to ‎ql/src/Security/CWE-643/XPathInjection.go
+2-4 b/‎ql/src/experimental/Security/CWE-643/XPathInjection.go renamed to ‎ql/src/Security/CWE-643/XPathInjection.go
+2-4
diff --git a/‎ql/src/experimental/Security/CWE-643/XPathInjection.qhelp renamed to ‎ql/src/Security/CWE-643/XPathInjection.qhelp
+3-3 b/‎ql/src/experimental/Security/CWE-643/XPathInjection.qhelp renamed to ‎ql/src/Security/CWE-643/XPathInjection.qhelp
+3-3
diff --git a/‎ql/src/Security/CWE-643/XPathInjection.ql
+27 b/‎ql/src/Security/CWE-643/XPathInjection.ql
+27
diff --git a/‎ql/src/experimental/Security/CWE-643/XPathInjection.ql
-188 b/‎ql/src/experimental/Security/CWE-643/XPathInjection.ql
-188
diff --git a/‎ql/src/go.qll
+1 b/‎ql/src/go.qll
+1
diff --git a/‎ql/src/semmle/go/Types.qll
+5 b/‎ql/src/semmle/go/Types.qll
+5
@@ -19,6 +19,7 @@ The CodeQL library for Go now contains a folder of simple "cookbook" queries tha
 | Incomplete URL scheme check (`go/incomplete-url-scheme-check`) | correctness, security, external/cwe/cwe-020 | Highlights checks for `javascript` URLs that do not take `data` or `vbscript` URLs into account. Results are shown on LGTM by default. |
 | Potentially unsafe quoting (`go/unsafe-quoting`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-089, external/cwe/cwe-094 | Highlights code that constructs a quoted string literal containing data that may itself contain quotes. Results are shown on LGTM by default. |
 | Size computation for allocation may overflow (`go/allocation-size-overflow`) | correctness, security, external/cwe/cwe-190 | Highlights code that computes the size of an allocation based on the size of a potentially large object. Results are shown on LGTM by default. |
+| XPath injection (`go/xml/xpath-injection`) | security, external/cwe/cwe-643 | Highlights code that uses remote input in an XPath expression. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
 
@@ -13,20 +13,18 @@ func main() {}
 func processRequest(r *http.Request, doc tree.Node) {
 	r.ParseForm()
 	username := r.Form.Get("username")
-	password := r.Form.Get("password")
 
 	// BAD: User input used directly in an XPath expression
-	xPath := goxpath.MustParse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()")
+	xPath := goxpath.MustParse("//users/user[login/text()='" + username + "']/home_dir/text()")
 	unsafeRes, _ := xPath.ExecBool(doc)
 	fmt.Println(unsafeRes)
 
 	// GOOD: Value of parameters is defined here instead of directly in the query
 	opt := func(o *goxpath.Opts) {
 		o.Vars["username"] = tree.String(username)
-		o.Vars["password"] = tree.String(password)
 	}
 	// GOOD: Uses parameters to avoid including user input directly in XPath expression
-	xPath = goxpath.MustParse("//users/user[login/text()=$username and password/text() = $password]/home_dir/text()")
+	xPath = goxpath.MustParse("//users/user[login/text()=$username]/home_dir/text()")
 	safeRes, _ := xPath.ExecBool(doc, opt)
 	fmt.Println(safeRes)
 }
@@ -15,16 +15,16 @@ If user input must be included in an XPath expression, pre-compile the query and
 references to include the user input.
 </p>
 <p>
-For example, when using the <code>github.com/ChrisTrenkamp/goxpath</code> API, this can be done by creating a function that takes an <code>*goxpath.Opts</code> structure.
+For example, when using the <code>github.com/ChrisTrenkamp/goxpath</code> API, you can do this by creating a function that takes an <code>*goxpath.Opts</code> structure.
 In this structure you can then set the values of the variable references.
-This function can then be specified when calling <code>Exec()</code>, <code>Exec{Bool|Num|Node}()</code>, <code>ParseExec()</code> or <code>MustExec()</code>.
+This function can then be specified when calling <code>Exec()</code>, <code>Exec{Bool|Num|Node}()</code>, <code>ParseExec()</code>, or <code>MustExec()</code>.
 </p>
 
 </recommendation>
 
 <example>
 <p>
-In the first example, the code accepts a user name specified by the user, and uses this
+In the first example, the code accepts a username specified by the user, and uses this
 unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing
 special characters or string sequences that change the meaning of the XPath expression to search
 for different values.
 
@@ -0,0 +1,27 @@
+/**
+ * @name XPath injection
+ * @description Building an XPath expression from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id go/xml/xpath-injection
+ * @tags security
+ *       external/cwe/cwe-643
+ */
+
+import go
+import semmle.go.security.XPathInjection::XPathInjection
+import DataFlow::PathGraph
+
+/** Holds if `node` is either a string or a byte slice */
+predicate isStringOrByte(DataFlow::PathNode node) {
+  exists(Type t | t = node.getNode().getType().getUnderlyingType() |
+    t instanceof StringType or t instanceof ByteSliceType
+  )
+}
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink) and isStringOrByte(sink)
+select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.",
+  source.getNode(), "A user-provided value"
@@ -26,6 +26,7 @@ import semmle.go.dataflow.SSA
 import semmle.go.frameworks.HTTP
 import semmle.go.frameworks.SystemCommandExecutors
 import semmle.go.frameworks.SQL
+import semmle.go.frameworks.XPath
 import semmle.go.frameworks.Stdlib
 import semmle.go.security.FlowSources
 import semmle.go.Util
@@ -328,6 +328,11 @@ class SliceType extends @slicetype, CompositeType {
   override string toString() { result = "slice type" }
 }
 
+/** A byte slice type */
+class ByteSliceType extends SliceType {
+  ByteSliceType() { this.getElementType() instanceof Uint8Type }
+}
+
 /** A struct type. */
 class StructType extends @structtype, CompositeType {
   /**