diff --git a/go/ql/lib/ext/mime.multipart.model.yml b/go/ql/lib/ext/mime.multipart.model.yml
index 134481dfce33..e2fe083ee82e 100644
--- a/go/ql/lib/ext/mime.multipart.model.yml
+++ b/go/ql/lib/ext/mime.multipart.model.yml
@@ -16,6 +16,14 @@ extensions:
       # this specific case where the output is going to be used as a filename
       # rather than a directory name, it is adequate.
       - ["mime/multipart", "Part", False, "FileName", "", "", "ReturnValue", "path-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["mime/multipart", "FileHeader", True, "Open", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["mime/multipart", "FileHeader", True, "Filename", "", "", "", "remote", "manual"]
+      - ["mime/multipart", "FileHeader", True, "Header", "", "", "", "remote", "manual"]
+      - ["mime/multipart", "Form", True, "Value", "", "", "", "remote", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/src/experimental/frameworks/DecompressionBombs.qll b/go/ql/src/experimental/frameworks/DecompressionBombs.qll
index 170104ebd43b..2397e9633bd6 100644
--- a/go/ql/src/experimental/frameworks/DecompressionBombs.qll
+++ b/go/ql/src/experimental/frameworks/DecompressionBombs.qll
@@ -4,23 +4,6 @@
 
 import go
 
-class MimeMultipartFileHeader extends RemoteFlowSource::Range {
-  MimeMultipartFileHeader() {
-    exists(DataFlow::FieldReadNode frn | this = frn |
-      frn.getField().hasQualifiedName("mime/multipart", "FileHeader", ["Filename", "Header"])
-    )
-    or
-    exists(DataFlow::Method m |
-      m.hasQualifiedName("mime/multipart", "FileHeader", "Open") and
-      this = m.getACall().getResult(0)
-    )
-    or
-    exists(DataFlow::FieldReadNode frn |
-      frn.getField().hasQualifiedName("mime/multipart", "Form", "Value")
-    )
-  }
-}
-
 /** Provides a taint tracking configuration for reasoning about decompression bomb vulnerabilities. */
 module DecompressionBomb {
   import experimental.frameworks.DecompressionBombsCustomizations
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
index be8ae2ec2fa4..f7c2d679d77d 100644
--- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
@@ -25,8 +25,10 @@
 | test.go:205:14:205:59 | type conversion | test.go:199:15:199:26 | call to Data | test.go:205:14:205:59 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:199:15:199:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:209:14:209:28 | type conversion | test.go:208:18:208:33 | selection of Form | test.go:209:14:209:28 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:208:18:208:33 | selection of Form | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:224:14:224:32 | type conversion | test.go:223:2:223:34 | ... := ...[1] | test.go:224:14:224:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:223:2:223:34 | ... := ...[1] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:224:14:224:32 | type conversion | test.go:224:21:224:31 | selection of Filename | test.go:224:14:224:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:224:21:224:31 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:226:14:226:20 | content | test.go:223:2:223:34 | ... := ...[0] | test.go:226:14:226:20 | content | Cross-site scripting vulnerability due to $@. | test.go:223:2:223:34 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:229:14:229:38 | type conversion | test.go:228:2:228:40 | ... := ...[0] | test.go:229:14:229:38 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:228:2:228:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:229:14:229:38 | type conversion | test.go:229:21:229:37 | selection of Filename | test.go:229:14:229:38 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:229:21:229:37 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:232:14:232:22 | type conversion | test.go:231:7:231:28 | call to GetString | test.go:232:14:232:22 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:231:7:231:28 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:235:14:235:26 | type conversion | test.go:234:8:234:35 | call to GetStrings | test.go:235:14:235:26 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:234:8:234:35 | call to GetStrings | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:238:14:238:27 | type conversion | test.go:237:9:237:17 | call to Input | test.go:238:14:238:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:237:9:237:17 | call to Input | user-provided value | test.go:0:0:0:0 | test.go |  |
@@ -37,19 +39,34 @@
 | test.go:265:15:265:41 | call to GetCookie | test.go:265:15:265:41 | call to GetCookie | test.go:265:15:265:41 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:265:15:265:41 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:270:55:270:84 | type conversion | test.go:270:62:270:83 | call to GetCookie | test.go:270:55:270:84 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:270:62:270:83 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:283:21:283:61 | call to GetDisplayString | test.go:275:2:275:40 | ... := ...[0] | test.go:283:21:283:61 | call to GetDisplayString | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:283:21:283:61 | call to GetDisplayString | test.go:283:44:283:60 | selection of Filename | test.go:283:21:283:61 | call to GetDisplayString | Cross-site scripting vulnerability due to $@. | test.go:283:44:283:60 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:284:21:284:92 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:284:21:284:92 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:284:21:284:92 | selection of Filename | test.go:284:21:284:92 | selection of Filename | test.go:284:21:284:92 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:284:21:284:92 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:285:21:285:96 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:285:21:285:96 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:285:21:285:96 | selection of Filename | test.go:285:21:285:96 | selection of Filename | test.go:285:21:285:96 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:285:21:285:96 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:287:21:287:96 | selection of Filename | test.go:287:21:287:96 | selection of Filename | test.go:287:21:287:96 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:287:21:287:96 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:290:3:292:80 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:290:3:292:80 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:290:3:292:80 | selection of Filename | test.go:290:3:292:80 | selection of Filename | test.go:290:3:292:80 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:290:3:292:80 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:293:21:293:101 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:293:21:293:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:293:21:293:101 | selection of Filename | test.go:293:21:293:101 | selection of Filename | test.go:293:21:293:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:293:21:293:101 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:294:21:294:101 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:294:21:294:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:294:21:294:101 | selection of Filename | test.go:294:21:294:101 | selection of Filename | test.go:294:21:294:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:294:21:294:101 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:295:21:295:97 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:295:21:295:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:295:21:295:97 | selection of Filename | test.go:295:21:295:97 | selection of Filename | test.go:295:21:295:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:295:21:295:97 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:296:21:296:97 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:296:21:296:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:296:21:296:97 | selection of Filename | test.go:296:21:296:97 | selection of Filename | test.go:296:21:296:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:296:21:296:97 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:297:21:297:102 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:297:21:297:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:297:21:297:102 | selection of Filename | test.go:297:21:297:102 | selection of Filename | test.go:297:21:297:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:297:21:297:102 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:298:21:298:102 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:298:21:298:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:298:21:298:102 | selection of Filename | test.go:298:21:298:102 | selection of Filename | test.go:298:21:298:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:298:21:298:102 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:299:21:299:82 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:299:21:299:82 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:299:21:299:82 | selection of Filename | test.go:299:21:299:82 | selection of Filename | test.go:299:21:299:82 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:299:21:299:82 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:301:21:301:133 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:301:21:301:133 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:301:21:301:133 | selection of Filename | test.go:301:21:301:133 | selection of Filename | test.go:301:21:301:133 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:301:21:301:133 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:302:21:302:88 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:302:21:302:88 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:302:21:302:88 | selection of Filename | test.go:302:21:302:88 | selection of Filename | test.go:302:21:302:88 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:302:21:302:88 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:303:21:303:87 | selection of Filename | test.go:275:2:275:40 | ... := ...[0] | test.go:303:21:303:87 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:275:2:275:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:303:21:303:87 | selection of Filename | test.go:303:21:303:87 | selection of Filename | test.go:303:21:303:87 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:303:21:303:87 | selection of Filename | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:311:21:311:48 | type assertion | test.go:309:15:309:36 | call to GetString | test.go:311:21:311:48 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:309:15:309:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:312:21:312:52 | type assertion | test.go:309:15:309:36 | call to GetString | test.go:312:21:312:52 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:309:15:309:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 edges
@@ -78,22 +95,24 @@ edges
 | test.go:199:15:199:26 | call to Data | test.go:204:36:204:53 | type assertion | provenance | Src:MaD:3  |
 | test.go:199:15:199:26 | call to Data | test.go:205:34:205:51 | type assertion | provenance | Src:MaD:3  |
 | test.go:200:21:200:54 | call to HTML2str | test.go:200:14:200:55 | type conversion | provenance |  |
-| test.go:200:36:200:53 | type assertion | test.go:200:21:200:54 | call to HTML2str | provenance | MaD:35 |
+| test.go:200:36:200:53 | type assertion | test.go:200:21:200:54 | call to HTML2str | provenance | MaD:36 |
 | test.go:201:21:201:57 | call to Htmlunquote | test.go:201:14:201:58 | type conversion | provenance |  |
-| test.go:201:39:201:56 | type assertion | test.go:201:21:201:57 | call to Htmlunquote | provenance | MaD:36 |
+| test.go:201:39:201:56 | type assertion | test.go:201:21:201:57 | call to Htmlunquote | provenance | MaD:37 |
 | test.go:202:2:202:68 | ... := ...[0] | test.go:203:14:203:28 | type assertion | provenance |  |
-| test.go:202:28:202:56 | type assertion | test.go:202:2:202:68 | ... := ...[0] | provenance | MaD:37 |
+| test.go:202:28:202:56 | type assertion | test.go:202:2:202:68 | ... := ...[0] | provenance | MaD:38 |
 | test.go:204:21:204:54 | call to Str2html | test.go:204:14:204:55 | type conversion | provenance |  |
-| test.go:204:36:204:53 | type assertion | test.go:204:21:204:54 | call to Str2html | provenance | MaD:39 |
+| test.go:204:36:204:53 | type assertion | test.go:204:21:204:54 | call to Str2html | provenance | MaD:40 |
 | test.go:205:21:205:58 | call to Substr | test.go:205:14:205:59 | type conversion | provenance |  |
-| test.go:205:34:205:51 | type assertion | test.go:205:21:205:58 | call to Substr | provenance | MaD:40 |
-| test.go:208:18:208:33 | selection of Form | test.go:208:36:208:36 | s [postupdate] | provenance | Src:MaD:21 MaD:38 |
+| test.go:205:34:205:51 | type assertion | test.go:205:21:205:58 | call to Substr | provenance | MaD:41 |
+| test.go:208:18:208:33 | selection of Form | test.go:208:36:208:36 | s [postupdate] | provenance | Src:MaD:22 MaD:39 |
 | test.go:208:36:208:36 | s [postupdate] | test.go:209:14:209:28 | type conversion | provenance |  |
 | test.go:223:2:223:34 | ... := ...[0] | test.go:225:31:225:31 | f | provenance | Src:MaD:15  |
 | test.go:223:2:223:34 | ... := ...[1] | test.go:224:14:224:32 | type conversion | provenance | Src:MaD:15  |
+| test.go:224:21:224:31 | selection of Filename | test.go:224:14:224:32 | type conversion | provenance | Src:MaD:21  |
 | test.go:225:2:225:32 | ... := ...[0] | test.go:226:14:226:20 | content | provenance |  |
-| test.go:225:31:225:31 | f | test.go:225:2:225:32 | ... := ...[0] | provenance | MaD:41 |
+| test.go:225:31:225:31 | f | test.go:225:2:225:32 | ... := ...[0] | provenance | MaD:42 |
 | test.go:228:2:228:40 | ... := ...[0] | test.go:229:14:229:38 | type conversion | provenance | Src:MaD:16  |
+| test.go:229:21:229:37 | selection of Filename | test.go:229:14:229:38 | type conversion | provenance | Src:MaD:21  |
 | test.go:231:7:231:28 | call to GetString | test.go:232:14:232:22 | type conversion | provenance | Src:MaD:17  |
 | test.go:234:8:234:35 | call to GetStrings | test.go:235:14:235:26 | type conversion | provenance | Src:MaD:18  |
 | test.go:237:9:237:17 | call to Input | test.go:238:14:238:27 | type conversion | provenance | Src:MaD:19  |
@@ -118,41 +137,41 @@ edges
 | test.go:275:2:275:40 | ... := ...[0] | test.go:303:39:303:50 | genericFiles | provenance | Src:MaD:16  |
 | test.go:278:3:278:14 | genericFiles [postupdate] [array] | test.go:297:51:297:62 | genericFiles [array] | provenance |  |
 | test.go:278:21:278:28 | index expression | test.go:278:3:278:14 | genericFiles [postupdate] [array] | provenance |  |
-| test.go:283:44:283:60 | selection of Filename | test.go:283:21:283:61 | call to GetDisplayString | provenance | FunctionModel |
+| test.go:283:44:283:60 | selection of Filename | test.go:283:21:283:61 | call to GetDisplayString | provenance | Src:MaD:21 FunctionModel |
 | test.go:284:21:284:53 | call to SliceChunk | test.go:284:21:284:92 | selection of Filename | provenance |  |
-| test.go:284:38:284:49 | genericFiles | test.go:284:21:284:53 | call to SliceChunk | provenance | MaD:22 |
+| test.go:284:38:284:49 | genericFiles | test.go:284:21:284:53 | call to SliceChunk | provenance | MaD:23 |
 | test.go:285:21:285:60 | call to SliceDiff | test.go:285:21:285:96 | selection of Filename | provenance |  |
-| test.go:285:37:285:48 | genericFiles | test.go:285:21:285:60 | call to SliceDiff | provenance | MaD:23 |
+| test.go:285:37:285:48 | genericFiles | test.go:285:21:285:60 | call to SliceDiff | provenance | MaD:24 |
 | test.go:290:3:292:44 | call to SliceFilter | test.go:290:3:292:80 | selection of Filename | provenance |  |
-| test.go:291:4:291:15 | genericFiles | test.go:290:3:292:44 | call to SliceFilter | provenance | MaD:24 |
+| test.go:291:4:291:15 | genericFiles | test.go:290:3:292:44 | call to SliceFilter | provenance | MaD:25 |
 | test.go:293:21:293:65 | call to SliceIntersect | test.go:293:21:293:101 | selection of Filename | provenance |  |
-| test.go:293:42:293:53 | genericFiles | test.go:293:21:293:65 | call to SliceIntersect | provenance | MaD:25 |
+| test.go:293:42:293:53 | genericFiles | test.go:293:21:293:65 | call to SliceIntersect | provenance | MaD:26 |
 | test.go:294:21:294:65 | call to SliceIntersect | test.go:294:21:294:101 | selection of Filename | provenance |  |
-| test.go:294:53:294:64 | genericFiles | test.go:294:21:294:65 | call to SliceIntersect | provenance | MaD:25 |
+| test.go:294:53:294:64 | genericFiles | test.go:294:21:294:65 | call to SliceIntersect | provenance | MaD:26 |
 | test.go:295:21:295:61 | call to SliceMerge | test.go:295:21:295:97 | selection of Filename | provenance |  |
-| test.go:295:38:295:49 | genericFiles | test.go:295:21:295:61 | call to SliceMerge | provenance | MaD:26 |
+| test.go:295:38:295:49 | genericFiles | test.go:295:21:295:61 | call to SliceMerge | provenance | MaD:27 |
 | test.go:296:21:296:61 | call to SliceMerge | test.go:296:21:296:97 | selection of Filename | provenance |  |
-| test.go:296:49:296:60 | genericFiles | test.go:296:21:296:61 | call to SliceMerge | provenance | MaD:26 |
+| test.go:296:49:296:60 | genericFiles | test.go:296:21:296:61 | call to SliceMerge | provenance | MaD:27 |
 | test.go:297:21:297:66 | call to SlicePad | test.go:297:21:297:102 | selection of Filename | provenance |  |
 | test.go:297:51:297:62 | genericFiles [array] | test.go:297:51:297:65 | index expression | provenance |  |
-| test.go:297:51:297:65 | index expression | test.go:297:21:297:66 | call to SlicePad | provenance | MaD:27 |
+| test.go:297:51:297:65 | index expression | test.go:297:21:297:66 | call to SlicePad | provenance | MaD:28 |
 | test.go:298:21:298:66 | call to SlicePad | test.go:298:21:298:102 | selection of Filename | provenance |  |
-| test.go:298:36:298:47 | genericFiles | test.go:298:21:298:66 | call to SlicePad | provenance | MaD:27 |
+| test.go:298:36:298:47 | genericFiles | test.go:298:21:298:66 | call to SlicePad | provenance | MaD:28 |
 | test.go:299:21:299:49 | call to SliceRand | test.go:299:21:299:82 | selection of Filename | provenance |  |
-| test.go:299:37:299:48 | genericFiles | test.go:299:21:299:49 | call to SliceRand | provenance | MaD:28 |
+| test.go:299:37:299:48 | genericFiles | test.go:299:21:299:49 | call to SliceRand | provenance | MaD:29 |
 | test.go:301:21:301:97 | call to SliceReduce | test.go:301:21:301:133 | selection of Filename | provenance |  |
-| test.go:301:39:301:50 | genericFiles | test.go:301:21:301:97 | call to SliceReduce | provenance | MaD:29 |
+| test.go:301:39:301:50 | genericFiles | test.go:301:21:301:97 | call to SliceReduce | provenance | MaD:30 |
 | test.go:302:21:302:52 | call to SliceShuffle | test.go:302:21:302:88 | selection of Filename | provenance |  |
-| test.go:302:40:302:51 | genericFiles | test.go:302:21:302:52 | call to SliceShuffle | provenance | MaD:30 |
+| test.go:302:40:302:51 | genericFiles | test.go:302:21:302:52 | call to SliceShuffle | provenance | MaD:31 |
 | test.go:303:21:303:51 | call to SliceUnique | test.go:303:21:303:87 | selection of Filename | provenance |  |
-| test.go:303:39:303:50 | genericFiles | test.go:303:21:303:51 | call to SliceUnique | provenance | MaD:31 |
+| test.go:303:39:303:50 | genericFiles | test.go:303:21:303:51 | call to SliceUnique | provenance | MaD:32 |
 | test.go:309:15:309:36 | call to GetString | test.go:310:22:310:30 | untrusted | provenance | Src:MaD:17  |
 | test.go:310:2:310:5 | bMap [postupdate] | test.go:311:21:311:24 | bMap | provenance |  |
 | test.go:310:2:310:5 | bMap [postupdate] | test.go:312:21:312:24 | bMap | provenance |  |
-| test.go:310:22:310:30 | untrusted | test.go:310:2:310:5 | bMap [postupdate] | provenance | MaD:34 |
-| test.go:311:21:311:24 | bMap | test.go:311:21:311:39 | call to Get | provenance | MaD:32 |
+| test.go:310:22:310:30 | untrusted | test.go:310:2:310:5 | bMap [postupdate] | provenance | MaD:35 |
+| test.go:311:21:311:24 | bMap | test.go:311:21:311:39 | call to Get | provenance | MaD:33 |
 | test.go:311:21:311:39 | call to Get | test.go:311:21:311:48 | type assertion | provenance |  |
-| test.go:312:21:312:24 | bMap | test.go:312:21:312:32 | call to Items | provenance | MaD:33 |
+| test.go:312:21:312:24 | bMap | test.go:312:21:312:32 | call to Items | provenance | MaD:34 |
 | test.go:312:21:312:32 | call to Items | test.go:312:21:312:52 | type assertion | provenance |  |
 models
 | 1 | Source: group:beego-context; BeegoInput; true; Bind; ; ; Argument[0]; remote; manual |
@@ -175,27 +194,28 @@ models
 | 18 | Source: group:beego; Controller; true; GetStrings; ; ; ReturnValue[0]; remote; manual |
 | 19 | Source: group:beego; Controller; true; Input; ; ; ReturnValue[0]; remote; manual |
 | 20 | Source: group:beego; Controller; true; ParseForm; ; ; Argument[0]; remote; manual |
-| 21 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
-| 22 | Summary: group:beego-utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual |
-| 23 | Summary: group:beego-utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual |
-| 24 | Summary: group:beego-utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual |
-| 25 | Summary: group:beego-utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual |
-| 26 | Summary: group:beego-utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual |
-| 27 | Summary: group:beego-utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual |
-| 28 | Summary: group:beego-utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual |
-| 29 | Summary: group:beego-utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual |
-| 30 | Summary: group:beego-utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual |
-| 31 | Summary: group:beego-utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual |
-| 32 | Summary: group:beego-utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 33 | Summary: group:beego-utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 34 | Summary: group:beego-utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual |
-| 35 | Summary: group:beego; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual |
-| 36 | Summary: group:beego; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual |
-| 37 | Summary: group:beego; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual |
-| 38 | Summary: group:beego; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual |
-| 39 | Summary: group:beego; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual |
-| 40 | Summary: group:beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual |
-| 41 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
+| 21 | Source: mime/multipart; FileHeader; true; Filename; ; ; ; remote; manual |
+| 22 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
+| 23 | Summary: group:beego-utils; ; false; SliceChunk; ; ; Argument[0]; ReturnValue; taint; manual |
+| 24 | Summary: group:beego-utils; ; false; SliceDiff; ; ; Argument[0]; ReturnValue; taint; manual |
+| 25 | Summary: group:beego-utils; ; false; SliceFilter; ; ; Argument[0]; ReturnValue; taint; manual |
+| 26 | Summary: group:beego-utils; ; false; SliceIntersect; ; ; Argument[0..1]; ReturnValue; taint; manual |
+| 27 | Summary: group:beego-utils; ; false; SliceMerge; ; ; Argument[0..1]; ReturnValue; taint; manual |
+| 28 | Summary: group:beego-utils; ; false; SlicePad; ; ; Argument[0..2]; ReturnValue; taint; manual |
+| 29 | Summary: group:beego-utils; ; false; SliceRand; ; ; Argument[0]; ReturnValue; taint; manual |
+| 30 | Summary: group:beego-utils; ; false; SliceReduce; ; ; Argument[0]; ReturnValue; taint; manual |
+| 31 | Summary: group:beego-utils; ; false; SliceShuffle; ; ; Argument[0]; ReturnValue; taint; manual |
+| 32 | Summary: group:beego-utils; ; false; SliceUnique; ; ; Argument[0]; ReturnValue; taint; manual |
+| 33 | Summary: group:beego-utils; BeeMap; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 34 | Summary: group:beego-utils; BeeMap; true; Items; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 35 | Summary: group:beego-utils; BeeMap; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual |
+| 36 | Summary: group:beego; ; false; HTML2str; ; ; Argument[0]; ReturnValue; taint; manual |
+| 37 | Summary: group:beego; ; false; Htmlunquote; ; ; Argument[0]; ReturnValue; taint; manual |
+| 38 | Summary: group:beego; ; false; MapGet; ; ; Argument[0]; ReturnValue[0]; taint; manual |
+| 39 | Summary: group:beego; ; false; ParseForm; ; ; Argument[0]; Argument[1]; taint; manual |
+| 40 | Summary: group:beego; ; false; Str2html; ; ; Argument[0]; ReturnValue; taint; manual |
+| 41 | Summary: group:beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual |
+| 42 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
 nodes
 | test.go:34:13:34:17 | bound [postupdate] | semmle.label | bound [postupdate] |
 | test.go:35:13:35:30 | type conversion | semmle.label | type conversion |
@@ -255,11 +275,13 @@ nodes
 | test.go:223:2:223:34 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:223:2:223:34 | ... := ...[1] | semmle.label | ... := ...[1] |
 | test.go:224:14:224:32 | type conversion | semmle.label | type conversion |
+| test.go:224:21:224:31 | selection of Filename | semmle.label | selection of Filename |
 | test.go:225:2:225:32 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:225:31:225:31 | f | semmle.label | f |
 | test.go:226:14:226:20 | content | semmle.label | content |
 | test.go:228:2:228:40 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:229:14:229:38 | type conversion | semmle.label | type conversion |
+| test.go:229:21:229:37 | selection of Filename | semmle.label | selection of Filename |
 | test.go:231:7:231:28 | call to GetString | semmle.label | call to GetString |
 | test.go:232:14:232:22 | type conversion | semmle.label | type conversion |
 | test.go:234:8:234:35 | call to GetStrings | semmle.label | call to GetStrings |
@@ -287,6 +309,7 @@ nodes
 | test.go:285:21:285:60 | call to SliceDiff | semmle.label | call to SliceDiff |
 | test.go:285:21:285:96 | selection of Filename | semmle.label | selection of Filename |
 | test.go:285:37:285:48 | genericFiles | semmle.label | genericFiles |
+| test.go:287:21:287:96 | selection of Filename | semmle.label | selection of Filename |
 | test.go:290:3:292:44 | call to SliceFilter | semmle.label | call to SliceFilter |
 | test.go:290:3:292:80 | selection of Filename | semmle.label | selection of Filename |
 | test.go:291:4:291:15 | genericFiles | semmle.label | genericFiles |
@@ -331,3 +354,5 @@ nodes
 | test.go:312:21:312:32 | call to Items | semmle.label | call to Items |
 | test.go:312:21:312:52 | type assertion | semmle.label | type assertion |
 subpaths
+testFailures
+| test.go:287:21:287:96 | selection of Filename | Unexpected result: Alert |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected
index 0fa6b12603a4..6b2cd559ce54 100644
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected
@@ -1,19 +1,28 @@
 #select
 | test.go:173:20:173:24 | param | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | This path to an untrusted URL redirection depends on a $@. | test.go:172:11:172:32 | call to Param | user-provided value |
 | test.go:185:20:185:29 | ...+... | test.go:178:11:178:32 | call to Param | test.go:185:20:185:29 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value |
+| test.go:210:20:210:33 | type conversion | test.go:207:2:207:29 | ... := ...[0] | test.go:210:20:210:33 | type conversion | This path to an untrusted URL redirection depends on a $@. | test.go:207:2:207:29 | ... := ...[0] | user-provided value |
+| test.go:212:20:212:45 | index expression | test.go:212:20:212:29 | selection of Value | test.go:212:20:212:45 | index expression | This path to an untrusted URL redirection depends on a $@. | test.go:212:20:212:29 | selection of Value | user-provided value |
 edges
 | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | provenance | Src:MaD:2 Sink:MaD:1 |
 | test.go:178:11:178:32 | call to Param | test.go:185:24:185:29 | param2 | provenance | Src:MaD:2  |
 | test.go:185:24:185:29 | param2 | test.go:185:20:185:29 | ...+... | provenance | Config Sink:MaD:1 |
 | test.go:193:9:193:26 | star expression | test.go:193:10:193:26 | selection of URL [postupdate] | provenance | Config |
 | test.go:193:9:193:26 | star expression | test.go:196:21:196:23 | url | provenance |  |
-| test.go:193:10:193:26 | selection of URL | test.go:193:9:193:26 | star expression | provenance | Src:MaD:3 Config |
+| test.go:193:10:193:26 | selection of URL | test.go:193:9:193:26 | star expression | provenance | Src:MaD:5 Config |
 | test.go:193:10:193:26 | selection of URL [postupdate] | test.go:193:9:193:26 | star expression | provenance | Config |
 | test.go:196:21:196:23 | url | test.go:196:21:196:32 | call to String | provenance | Config Sink:MaD:1 |
+| test.go:207:2:207:29 | ... := ...[0] | test.go:209:2:209:5 | file | provenance | Src:MaD:3  |
+| test.go:209:2:209:5 | file | test.go:209:12:209:17 | buffer [postupdate] | provenance | Config |
+| test.go:209:12:209:17 | buffer [postupdate] | test.go:210:20:210:33 | type conversion | provenance | Sink:MaD:1 |
+| test.go:212:20:212:29 | selection of Value | test.go:212:20:212:42 | index expression | provenance | Src:MaD:4 Config |
+| test.go:212:20:212:42 | index expression | test.go:212:20:212:45 | index expression | provenance | Config Sink:MaD:1 |
 models
 | 1 | Sink: github.com/labstack/echo; Context; true; Redirect; ; ; Argument[1]; url-redirection; manual |
 | 2 | Source: github.com/labstack/echo; Context; true; Param; ; ; ReturnValue[0]; remote; manual |
-| 3 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
+| 3 | Source: mime/multipart; FileHeader; true; Open; ; ; ReturnValue[0]; remote; manual |
+| 4 | Source: mime/multipart; Form; true; Value; ; ; ; remote; manual |
+| 5 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
 nodes
 | test.go:172:11:172:32 | call to Param | semmle.label | call to Param |
 | test.go:173:20:173:24 | param | semmle.label | param |
@@ -25,4 +34,11 @@ nodes
 | test.go:193:10:193:26 | selection of URL [postupdate] | semmle.label | selection of URL [postupdate] |
 | test.go:196:21:196:23 | url | semmle.label | url |
 | test.go:196:21:196:32 | call to String | semmle.label | call to String |
+| test.go:207:2:207:29 | ... := ...[0] | semmle.label | ... := ...[0] |
+| test.go:209:2:209:5 | file | semmle.label | file |
+| test.go:209:12:209:17 | buffer [postupdate] | semmle.label | buffer [postupdate] |
+| test.go:210:20:210:33 | type conversion | semmle.label | type conversion |
+| test.go:212:20:212:29 | selection of Value | semmle.label | selection of Value |
+| test.go:212:20:212:42 | index expression | semmle.label | index expression |
+| test.go:212:20:212:45 | index expression | semmle.label | index expression |
 subpaths
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected
index 4e885d284d48..9d7de88c562f 100644
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected
@@ -7,8 +7,11 @@
 | test.go:46:16:46:18 | val | test.go:45:9:45:34 | call to FormValue | test.go:46:16:46:18 | val | Cross-site scripting vulnerability due to $@. | test.go:45:9:45:34 | call to FormValue | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:52:16:52:37 | index expression | test.go:51:2:51:30 | ... := ...[0] | test.go:52:16:52:37 | index expression | Cross-site scripting vulnerability due to $@. | test.go:51:2:51:30 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:61:20:61:25 | buffer | test.go:57:2:57:46 | ... := ...[0] | test.go:61:20:61:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:57:2:57:46 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:61:20:61:25 | buffer | test.go:58:2:58:29 | ... := ...[0] | test.go:61:20:61:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:58:2:58:29 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:67:16:67:41 | index expression | test.go:66:2:66:31 | ... := ...[0] | test.go:67:16:67:41 | index expression | Cross-site scripting vulnerability due to $@. | test.go:66:2:66:31 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:67:16:67:41 | index expression | test.go:67:16:67:25 | selection of Value | test.go:67:16:67:41 | index expression | Cross-site scripting vulnerability due to $@. | test.go:67:16:67:25 | selection of Value | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:77:20:77:25 | buffer | test.go:72:2:72:31 | ... := ...[0] | test.go:77:20:77:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:72:2:72:31 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:77:20:77:25 | buffer | test.go:74:2:74:29 | ... := ...[0] | test.go:77:20:77:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:74:2:74:29 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:83:16:83:24 | selection of Value | test.go:82:2:82:32 | ... := ...[0] | test.go:83:16:83:24 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:82:2:82:32 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:89:16:89:31 | selection of Value | test.go:88:13:88:25 | call to Cookies | test.go:89:16:89:31 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:88:13:88:25 | call to Cookies | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:100:16:100:21 | selection of s | test.go:99:11:99:15 | &... [postupdate] | test.go:100:16:100:21 | selection of s | Cross-site scripting vulnerability due to $@. | test.go:99:11:99:15 | &... [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
@@ -27,33 +30,34 @@ edges
 | test.go:45:9:45:34 | call to FormValue | test.go:46:16:46:18 | val | provenance | Src:MaD:6  |
 | test.go:51:2:51:30 | ... := ...[0] | test.go:52:16:52:37 | index expression | provenance | Src:MaD:5  |
 | test.go:57:2:57:46 | ... := ...[0] | test.go:58:13:58:22 | fileHeader | provenance | Src:MaD:4  |
-| test.go:58:2:58:29 | ... := ...[0] | test.go:60:2:60:5 | file | provenance |  |
-| test.go:58:13:58:22 | fileHeader | test.go:58:2:58:29 | ... := ...[0] | provenance | MaD:17 |
-| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:15 |
-| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:16 |
+| test.go:58:2:58:29 | ... := ...[0] | test.go:60:2:60:5 | file | provenance | Src:MaD:13  |
+| test.go:58:13:58:22 | fileHeader | test.go:58:2:58:29 | ... := ...[0] | provenance | MaD:19 |
+| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:17 |
 | test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:18 |
+| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:20 |
 | test.go:60:12:60:17 | buffer [postupdate] | test.go:61:20:61:25 | buffer | provenance |  |
 | test.go:66:2:66:31 | ... := ...[0] | test.go:67:16:67:41 | index expression | provenance | Src:MaD:7  |
+| test.go:67:16:67:25 | selection of Value | test.go:67:16:67:41 | index expression | provenance | Src:MaD:14  |
 | test.go:72:2:72:31 | ... := ...[0] | test.go:74:13:74:22 | fileHeader | provenance | Src:MaD:7  |
-| test.go:74:2:74:29 | ... := ...[0] | test.go:76:2:76:5 | file | provenance |  |
-| test.go:74:13:74:22 | fileHeader | test.go:74:2:74:29 | ... := ...[0] | provenance | MaD:17 |
-| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:15 |
-| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:16 |
+| test.go:74:2:74:29 | ... := ...[0] | test.go:76:2:76:5 | file | provenance | Src:MaD:13  |
+| test.go:74:13:74:22 | fileHeader | test.go:74:2:74:29 | ... := ...[0] | provenance | MaD:19 |
+| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:17 |
 | test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:18 |
+| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:20 |
 | test.go:76:12:76:17 | buffer [postupdate] | test.go:77:20:77:25 | buffer | provenance |  |
 | test.go:82:2:82:32 | ... := ...[0] | test.go:83:16:83:24 | selection of Value | provenance | Src:MaD:2  |
 | test.go:88:13:88:25 | call to Cookies | test.go:89:16:89:31 | selection of Value | provenance | Src:MaD:3  |
 | test.go:99:11:99:15 | &... [postupdate] | test.go:100:16:100:21 | selection of s | provenance | Src:MaD:1  |
 | test.go:113:2:113:4 | ctx [postupdate] | test.go:114:16:114:18 | ctx | provenance |  |
-| test.go:113:21:113:42 | call to Param | test.go:113:2:113:4 | ctx [postupdate] | provenance | Src:MaD:8 MaD:14 |
-| test.go:114:16:114:18 | ctx | test.go:114:16:114:33 | call to Get | provenance | MaD:13 |
+| test.go:113:21:113:42 | call to Param | test.go:113:2:113:4 | ctx [postupdate] | provenance | Src:MaD:8 MaD:16 |
+| test.go:114:16:114:18 | ctx | test.go:114:16:114:33 | call to Get | provenance | MaD:15 |
 | test.go:114:16:114:33 | call to Get | test.go:114:16:114:42 | type assertion | provenance |  |
 | test.go:124:11:124:32 | call to Param | test.go:125:16:125:20 | param | provenance | Src:MaD:8  |
 | test.go:130:11:130:32 | call to Param | test.go:131:20:131:32 | type conversion | provenance | Src:MaD:8  |
 | test.go:136:11:136:32 | call to Param | test.go:137:29:137:41 | type conversion | provenance | Src:MaD:8  |
 | test.go:148:11:148:32 | call to Param | test.go:149:30:149:34 | param | provenance | Src:MaD:8  |
 | test.go:149:12:149:35 | call to NewReader | test.go:150:31:150:36 | reader | provenance |  |
-| test.go:149:30:149:34 | param | test.go:149:12:149:35 | call to NewReader | provenance | MaD:19 |
+| test.go:149:30:149:34 | param | test.go:149:12:149:35 | call to NewReader | provenance | MaD:21 |
 | test.go:164:11:164:32 | call to Param | test.go:165:23:165:35 | type conversion | provenance | Src:MaD:8  |
 models
 | 1 | Source: github.com/labstack/echo; Context; true; Bind; ; ; Argument[0]; remote; manual |
@@ -68,13 +72,15 @@ models
 | 10 | Source: github.com/labstack/echo; Context; true; QueryParam; ; ; ReturnValue[0]; remote; manual |
 | 11 | Source: github.com/labstack/echo; Context; true; QueryParams; ; ; ReturnValue[0]; remote; manual |
 | 12 | Source: github.com/labstack/echo; Context; true; QueryString; ; ; ReturnValue[0]; remote; manual |
-| 13 | Summary: github.com/labstack/echo; Context; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 14 | Summary: github.com/labstack/echo; Context; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual |
-| 15 | Summary: io/fs; File; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
-| 16 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
-| 17 | Summary: mime/multipart; FileHeader; true; Open; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
-| 18 | Summary: os; File; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
-| 19 | Summary: strings; ; false; NewReader; ; ; Argument[0]; ReturnValue; taint; manual |
+| 13 | Source: mime/multipart; FileHeader; true; Open; ; ; ReturnValue[0]; remote; manual |
+| 14 | Source: mime/multipart; Form; true; Value; ; ; ; remote; manual |
+| 15 | Summary: github.com/labstack/echo; Context; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 16 | Summary: github.com/labstack/echo; Context; true; Set; ; ; Argument[1]; Argument[receiver]; taint; manual |
+| 17 | Summary: io/fs; File; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
+| 18 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
+| 19 | Summary: mime/multipart; FileHeader; true; Open; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
+| 20 | Summary: os; File; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
+| 21 | Summary: strings; ; false; NewReader; ; ; Argument[0]; ReturnValue; taint; manual |
 nodes
 | test.go:15:11:15:32 | call to Param | semmle.label | call to Param |
 | test.go:16:16:16:20 | param | semmle.label | param |
@@ -97,6 +103,7 @@ nodes
 | test.go:60:12:60:17 | buffer [postupdate] | semmle.label | buffer [postupdate] |
 | test.go:61:20:61:25 | buffer | semmle.label | buffer |
 | test.go:66:2:66:31 | ... := ...[0] | semmle.label | ... := ...[0] |
+| test.go:67:16:67:25 | selection of Value | semmle.label | selection of Value |
 | test.go:67:16:67:41 | index expression | semmle.label | index expression |
 | test.go:72:2:72:31 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:74:2:74:29 | ... := ...[0] | semmle.label | ... := ...[0] |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/MimeMultipartSources.go b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/MimeMultipartSources.go
new file mode 100644
index 000000000000..cf2a2d102049
--- /dev/null
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/MimeMultipartSources.go
@@ -0,0 +1,11 @@
+package main
+
+import "mime/multipart"
+
+func MimeMultipartSources(fh *multipart.FileHeader, form *multipart.Form) {
+	tainted1, _ := fh.Open()
+	sink(tainted1)    // $ hasValueFlow="tainted1"
+	sink(fh.Filename) // $ hasValueFlow="selection of Filename"
+	sink(fh.Header)   // $ hasValueFlow="selection of Header"
+	sink(form.Value)  // $ hasValueFlow="selection of Value"
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/TaintFlows.expected b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/TaintFlows.expected
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/TaintFlows.ql b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/TaintFlows.ql
new file mode 100644
index 000000000000..e76b87dfe1c9
--- /dev/null
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/TaintFlows.ql
@@ -0,0 +1,15 @@
+import go
+import TestUtilities.InlineFlowTest
+
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source = any(Function f | f.getName() = "source").getACall().getResult() or
+    source instanceof RemoteFlowSource
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Function f | f.getName() = "sink").getACall().getAnArgument()
+  }
+}
+
+import FlowTest<TestConfig, TestConfig>
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/stubs.go b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/stubs.go
new file mode 100644
index 000000000000..85dc10427795
--- /dev/null
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Stdlib/stubs.go
@@ -0,0 +1,11 @@
+package main
+
+func main() {}
+
+func source() interface{} {
+	return nil
+}
+
+func sink(v interface{}) {}
+
+func link(from interface{}, into interface{}) {}
diff --git a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
index b95abaa47c50..dcd75d5db512 100644
--- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -8,6 +8,7 @@
 | contenttype.go:114:50:114:53 | data | contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | Cross-site scripting vulnerability due to $@. | contenttype.go:113:10:113:28 | call to FormValue | user-provided value | contenttype.go:0:0:0:0 | contenttype.go |  |
 | reflectedxsstest.go:33:10:33:57 | type conversion | reflectedxsstest.go:30:2:30:44 | ... := ...[0] | reflectedxsstest.go:33:10:33:57 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:30:2:30:44 | ... := ...[0] | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
 | reflectedxsstest.go:34:10:34:62 | type conversion | reflectedxsstest.go:30:2:30:44 | ... := ...[1] | reflectedxsstest.go:34:10:34:62 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:30:2:30:44 | ... := ...[1] | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
+| reflectedxsstest.go:34:10:34:62 | type conversion | reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:10:34:62 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:34:46:34:60 | selection of Filename | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
 | reflectedxsstest.go:44:10:44:55 | type conversion | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | reflectedxsstest.go:44:10:44:55 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
 | reflectedxsstest.go:45:10:45:18 | byteSlice | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | reflectedxsstest.go:45:10:45:18 | byteSlice | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
 | reflectedxsstest.go:54:11:54:21 | type conversion | reflectedxsstest.go:51:14:51:18 | selection of URL | reflectedxsstest.go:54:11:54:21 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:51:14:51:18 | selection of URL | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
@@ -20,52 +21,52 @@
 | websocketXss.go:52:24:52:31 | gorilla2 | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | websocketXss.go:52:24:52:31 | gorilla2 | Cross-site scripting vulnerability due to $@. | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
 | websocketXss.go:55:24:55:31 | gorilla3 | websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | Cross-site scripting vulnerability due to $@. | websocketXss.go:54:3:54:38 | ... := ...[1] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
 edges
-| ReflectedXss.go:11:15:11:20 | selection of Form | ReflectedXss.go:11:15:11:36 | call to Get | provenance | Src:MaD:6 MaD:18 |
+| ReflectedXss.go:11:15:11:20 | selection of Form | ReflectedXss.go:11:15:11:36 | call to Get | provenance | Src:MaD:7 MaD:19 |
 | ReflectedXss.go:11:15:11:36 | call to Get | ReflectedXss.go:14:44:14:51 | username | provenance |  |
-| contenttype.go:11:11:11:16 | selection of Form | contenttype.go:11:11:11:28 | call to Get | provenance | Src:MaD:6 MaD:18 |
+| contenttype.go:11:11:11:16 | selection of Form | contenttype.go:11:11:11:28 | call to Get | provenance | Src:MaD:7 MaD:19 |
 | contenttype.go:11:11:11:28 | call to Get | contenttype.go:17:11:17:22 | type conversion | provenance |  |
-| contenttype.go:49:11:49:16 | selection of Form | contenttype.go:49:11:49:28 | call to Get | provenance | Src:MaD:6 MaD:18 |
+| contenttype.go:49:11:49:16 | selection of Form | contenttype.go:49:11:49:28 | call to Get | provenance | Src:MaD:7 MaD:19 |
 | contenttype.go:49:11:49:28 | call to Get | contenttype.go:53:34:53:37 | data | provenance |  |
-| contenttype.go:63:10:63:28 | call to FormValue | contenttype.go:64:52:64:55 | data | provenance | Src:MaD:8  |
-| contenttype.go:73:10:73:28 | call to FormValue | contenttype.go:79:11:79:14 | data | provenance | Src:MaD:8  |
-| contenttype.go:88:10:88:28 | call to FormValue | contenttype.go:91:4:91:7 | data | provenance | Src:MaD:8  |
-| contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:8  |
-| reflectedxsstest.go:30:2:30:44 | ... := ...[0] | reflectedxsstest.go:31:30:31:33 | file | provenance | Src:MaD:7  |
-| reflectedxsstest.go:30:2:30:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:7  |
+| contenttype.go:63:10:63:28 | call to FormValue | contenttype.go:64:52:64:55 | data | provenance | Src:MaD:9  |
+| contenttype.go:73:10:73:28 | call to FormValue | contenttype.go:79:11:79:14 | data | provenance | Src:MaD:9  |
+| contenttype.go:88:10:88:28 | call to FormValue | contenttype.go:91:4:91:7 | data | provenance | Src:MaD:9  |
+| contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:9  |
+| reflectedxsstest.go:30:2:30:44 | ... := ...[0] | reflectedxsstest.go:31:30:31:33 | file | provenance | Src:MaD:8  |
+| reflectedxsstest.go:30:2:30:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:8  |
 | reflectedxsstest.go:31:2:31:34 | ... := ...[0] | reflectedxsstest.go:32:48:32:54 | content | provenance |  |
-| reflectedxsstest.go:31:30:31:33 | file | reflectedxsstest.go:31:2:31:34 | ... := ...[0] | provenance | MaD:13 |
+| reflectedxsstest.go:31:30:31:33 | file | reflectedxsstest.go:31:2:31:34 | ... := ...[0] | provenance | MaD:14 |
 | reflectedxsstest.go:32:48:32:54 | content | reflectedxsstest.go:33:49:33:55 | content | provenance |  |
-| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:12 |
+| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:13 |
 | reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion | provenance |  |
 | reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | provenance |  |
 | reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | FunctionModel |
-| reflectedxsstest.go:34:17:34:61 | []type{args} [array] | reflectedxsstest.go:34:17:34:61 | call to Sprintf | provenance | MaD:12 |
+| reflectedxsstest.go:34:17:34:61 | []type{args} [array] | reflectedxsstest.go:34:17:34:61 | call to Sprintf | provenance | MaD:13 |
 | reflectedxsstest.go:34:17:34:61 | call to Sprintf | reflectedxsstest.go:34:10:34:62 | type conversion | provenance |  |
-| reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | []type{args} [array] | provenance |  |
-| reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | call to Sprintf | provenance | FunctionModel |
-| reflectedxsstest.go:38:2:38:35 | ... := ...[0] | reflectedxsstest.go:39:16:39:21 | reader | provenance | Src:MaD:9  |
+| reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | []type{args} [array] | provenance | Src:MaD:6  |
+| reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | call to Sprintf | provenance | Src:MaD:6 FunctionModel |
+| reflectedxsstest.go:38:2:38:35 | ... := ...[0] | reflectedxsstest.go:39:16:39:21 | reader | provenance | Src:MaD:10  |
 | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | reflectedxsstest.go:40:14:40:17 | part | provenance |  |
 | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | reflectedxsstest.go:42:2:42:5 | part | provenance |  |
-| reflectedxsstest.go:39:16:39:21 | reader | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | provenance | MaD:16 |
-| reflectedxsstest.go:40:14:40:17 | part | reflectedxsstest.go:40:14:40:28 | call to FileName | provenance | MaD:15 |
+| reflectedxsstest.go:39:16:39:21 | reader | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | provenance | MaD:17 |
+| reflectedxsstest.go:40:14:40:17 | part | reflectedxsstest.go:40:14:40:28 | call to FileName | provenance | MaD:16 |
 | reflectedxsstest.go:40:14:40:28 | call to FileName | reflectedxsstest.go:44:46:44:53 | partName | provenance |  |
-| reflectedxsstest.go:42:2:42:5 | part | reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | provenance | MaD:14 |
+| reflectedxsstest.go:42:2:42:5 | part | reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | provenance | MaD:15 |
 | reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | reflectedxsstest.go:45:10:45:18 | byteSlice | provenance |  |
-| reflectedxsstest.go:44:17:44:54 | []type{args} [array] | reflectedxsstest.go:44:17:44:54 | call to Sprintf | provenance | MaD:12 |
+| reflectedxsstest.go:44:17:44:54 | []type{args} [array] | reflectedxsstest.go:44:17:44:54 | call to Sprintf | provenance | MaD:13 |
 | reflectedxsstest.go:44:17:44:54 | call to Sprintf | reflectedxsstest.go:44:10:44:55 | type conversion | provenance |  |
 | reflectedxsstest.go:44:46:44:53 | partName | reflectedxsstest.go:44:17:44:54 | []type{args} [array] | provenance |  |
 | reflectedxsstest.go:44:46:44:53 | partName | reflectedxsstest.go:44:17:44:54 | call to Sprintf | provenance | FunctionModel |
-| reflectedxsstest.go:51:14:51:18 | selection of URL | reflectedxsstest.go:51:14:51:26 | call to Query | provenance | Src:MaD:10 MaD:17 |
+| reflectedxsstest.go:51:14:51:18 | selection of URL | reflectedxsstest.go:51:14:51:26 | call to Query | provenance | Src:MaD:11 MaD:18 |
 | reflectedxsstest.go:51:14:51:26 | call to Query | reflectedxsstest.go:54:11:54:21 | type conversion | provenance |  |
-| tst.go:14:15:14:20 | selection of Form | tst.go:14:15:14:36 | call to Get | provenance | Src:MaD:6 MaD:18 |
+| tst.go:14:15:14:20 | selection of Form | tst.go:14:15:14:36 | call to Get | provenance | Src:MaD:7 MaD:19 |
 | tst.go:14:15:14:36 | call to Get | tst.go:18:32:18:32 | a | provenance |  |
 | tst.go:18:19:18:38 | call to Join | tst.go:18:12:18:39 | type conversion | provenance |  |
-| tst.go:18:32:18:32 | a | tst.go:18:19:18:38 | call to Join | provenance | MaD:19 |
-| tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:34 | call to Get | provenance | Src:MaD:6 MaD:18 |
+| tst.go:18:32:18:32 | a | tst.go:18:19:18:38 | call to Join | provenance | MaD:20 |
+| tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:34 | call to Get | provenance | Src:MaD:7 MaD:19 |
 | tst.go:48:14:48:34 | call to Get | tst.go:53:12:53:26 | type conversion | provenance |  |
 | websocketXss.go:31:11:31:14 | xnet [postupdate] | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5  |
 | websocketXss.go:35:21:35:25 | xnet2 [postupdate] | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4  |
-| websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11  |
+| websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:12  |
 | websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1  |
 | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2  |
 | websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3  |
@@ -75,20 +76,21 @@ models
 | 3 | Source: github.com/gorilla/websocket; Conn; true; ReadMessage; ; ; ReturnValue[1]; remote; manual |
 | 4 | Source: golang.org/x/net/websocket; Codec; true; Receive; ; ; Argument[1]; remote; manual |
 | 5 | Source: golang.org/x/net/websocket; Conn; true; Read; ; ; Argument[0]; remote; manual |
-| 6 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
-| 7 | Source: net/http; Request; true; FormFile; ; ; ReturnValue[0..1]; remote; manual |
-| 8 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
-| 9 | Source: net/http; Request; true; MultipartReader; ; ; ReturnValue[0]; remote; manual |
-| 10 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
-| 11 | Source: nhooyr.io/websocket; Conn; true; Read; ; ; ReturnValue[1]; remote; manual |
-| 12 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
-| 13 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
-| 14 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
-| 15 | Summary: mime/multipart; Part; true; FileName; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 16 | Summary: mime/multipart; Reader; true; NextPart; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
-| 17 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 18 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 19 | Summary: strings; ; false; Join; ; ; Argument[0..1]; ReturnValue; taint; manual |
+| 6 | Source: mime/multipart; FileHeader; true; Filename; ; ; ; remote; manual |
+| 7 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
+| 8 | Source: net/http; Request; true; FormFile; ; ; ReturnValue[0..1]; remote; manual |
+| 9 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
+| 10 | Source: net/http; Request; true; MultipartReader; ; ; ReturnValue[0]; remote; manual |
+| 11 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
+| 12 | Source: nhooyr.io/websocket; Conn; true; Read; ; ; ReturnValue[1]; remote; manual |
+| 13 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
+| 14 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
+| 15 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
+| 16 | Summary: mime/multipart; Part; true; FileName; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 17 | Summary: mime/multipart; Reader; true; NextPart; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
+| 18 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 19 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 20 | Summary: strings; ; false; Join; ; ; Argument[0..1]; ReturnValue; taint; manual |
 nodes
 | ReflectedXss.go:11:15:11:20 | selection of Form | semmle.label | selection of Form |
 | ReflectedXss.go:11:15:11:36 | call to Get | semmle.label | call to Get |
diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected
index d9f24369ca2a..0d33bb185d4f 100644
--- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected
+++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected
@@ -12,47 +12,48 @@
 | stdlib.go:198:23:198:42 | call to EscapedPath | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:198:23:198:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value |
 | stdlib.go:212:23:212:28 | selection of Path | stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:212:23:212:28 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:210:12:210:30 | call to FormValue | user-provided value |
 | stdlib.go:214:23:214:32 | call to String | stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:214:23:214:32 | call to String | This path to an untrusted URL redirection depends on a $@. | stdlib.go:210:12:210:30 | call to FormValue | user-provided value |
+| stdlib.go:226:23:226:59 | index expression | stdlib.go:226:23:226:43 | selection of Value | stdlib.go:226:23:226:59 | index expression | This path to an untrusted URL redirection depends on a $@. | stdlib.go:226:23:226:43 | selection of Value | user-provided value |
 | stdlib.go:261:23:261:32 | call to String | stdlib.go:257:12:257:30 | call to FormValue | stdlib.go:261:23:261:32 | call to String | This path to an untrusted URL redirection depends on a $@. | stdlib.go:257:12:257:30 | call to FormValue | user-provided value |
 edges
-| OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | provenance | Src:MaD:2 Config Sink:MaD:1 |
-| stdlib.go:13:13:13:18 | selection of Form | stdlib.go:13:13:13:32 | call to Get | provenance | Src:MaD:2 Config |
+| OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | provenance | Src:MaD:3 Config Sink:MaD:1 |
+| stdlib.go:13:13:13:18 | selection of Form | stdlib.go:13:13:13:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:13:13:13:32 | call to Get | stdlib.go:15:30:15:35 | target | provenance |  |
-| stdlib.go:22:13:22:18 | selection of Form | stdlib.go:22:13:22:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:22:13:22:18 | selection of Form | stdlib.go:22:13:22:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:22:13:22:32 | call to Get | stdlib.go:24:30:24:35 | target | provenance |  |
-| stdlib.go:33:13:33:18 | selection of Form | stdlib.go:33:13:33:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:33:13:33:18 | selection of Form | stdlib.go:33:13:33:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:33:13:33:32 | call to Get | stdlib.go:39:34:39:40 | target2 | provenance |  |
 | stdlib.go:39:34:39:40 | target2 | stdlib.go:39:30:39:40 | ...+... | provenance | Config |
-| stdlib.go:48:13:48:18 | selection of Form | stdlib.go:48:13:48:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:48:13:48:18 | selection of Form | stdlib.go:48:13:48:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:48:13:48:32 | call to Get | stdlib.go:50:23:50:28 | target | provenance | Sink:MaD:1 |
-| stdlib.go:68:13:68:18 | selection of Form | stdlib.go:68:13:68:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:68:13:68:18 | selection of Form | stdlib.go:68:13:68:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:68:13:68:32 | call to Get | stdlib.go:71:23:71:28 | target | provenance |  |
 | stdlib.go:71:23:71:28 | target | stdlib.go:71:23:71:37 | ...+... | provenance | Config |
 | stdlib.go:71:23:71:37 | ...+... | stdlib.go:71:23:71:40 | ...+... | provenance | Config Sink:MaD:1 |
-| stdlib.go:93:13:93:18 | selection of Form | stdlib.go:93:13:93:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:93:13:93:18 | selection of Form | stdlib.go:93:13:93:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:93:13:93:32 | call to Get | stdlib.go:94:3:94:8 | target | provenance |  |
 | stdlib.go:94:3:94:8 | target | stdlib.go:94:3:94:25 | ... += ... | provenance | Config |
 | stdlib.go:94:3:94:25 | ... += ... | stdlib.go:96:23:96:28 | target | provenance | Sink:MaD:1 |
 | stdlib.go:116:4:116:4 | implicit dereference [postupdate] [URL] | stdlib.go:116:4:116:4 | r [postupdate] [pointer, URL] | provenance |  |
 | stdlib.go:116:4:116:4 | r [postupdate] [pointer, URL] | stdlib.go:117:24:117:24 | r [pointer, URL] | provenance |  |
 | stdlib.go:116:4:116:8 | implicit dereference | stdlib.go:116:4:116:8 | selection of URL [postupdate] | provenance | Config |
-| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:8 | implicit dereference | provenance | Src:MaD:4 Config |
+| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:8 | implicit dereference | provenance | Src:MaD:5 Config |
 | stdlib.go:116:4:116:8 | selection of URL [postupdate] | stdlib.go:116:4:116:4 | implicit dereference [postupdate] [URL] | provenance |  |
 | stdlib.go:116:4:116:8 | selection of URL [postupdate] | stdlib.go:116:4:116:8 | implicit dereference | provenance | Config |
 | stdlib.go:117:24:117:24 | implicit dereference [URL] | stdlib.go:117:24:117:28 | selection of URL | provenance |  |
 | stdlib.go:117:24:117:24 | r [pointer, URL] | stdlib.go:117:24:117:24 | implicit dereference [URL] | provenance |  |
-| stdlib.go:117:24:117:28 | selection of URL | stdlib.go:117:24:117:37 | call to String | provenance | Src:MaD:4 Config Sink:MaD:1 |
-| stdlib.go:150:13:150:18 | selection of Form | stdlib.go:150:13:150:32 | call to Get | provenance | Src:MaD:2 Config |
+| stdlib.go:117:24:117:28 | selection of URL | stdlib.go:117:24:117:37 | call to String | provenance | Src:MaD:5 Config Sink:MaD:1 |
+| stdlib.go:150:13:150:18 | selection of Form | stdlib.go:150:13:150:32 | call to Get | provenance | Src:MaD:3 Config |
 | stdlib.go:150:13:150:32 | call to Get | stdlib.go:156:23:156:28 | target | provenance | Sink:MaD:1 |
 | stdlib.go:163:10:163:15 | star expression | stdlib.go:163:11:163:15 | selection of URL [postupdate] | provenance | Config |
 | stdlib.go:163:10:163:15 | star expression | stdlib.go:166:24:166:26 | url | provenance |  |
-| stdlib.go:163:11:163:15 | selection of URL | stdlib.go:163:10:163:15 | star expression | provenance | Src:MaD:4 Config |
+| stdlib.go:163:11:163:15 | selection of URL | stdlib.go:163:10:163:15 | star expression | provenance | Src:MaD:5 Config |
 | stdlib.go:163:11:163:15 | selection of URL [postupdate] | stdlib.go:163:10:163:15 | star expression | provenance | Config |
 | stdlib.go:166:24:166:26 | url | stdlib.go:166:24:166:35 | call to String | provenance | Config Sink:MaD:1 |
-| stdlib.go:177:35:177:39 | selection of URL | stdlib.go:177:35:177:52 | call to RequestURI | provenance | Src:MaD:4 Config |
+| stdlib.go:177:35:177:39 | selection of URL | stdlib.go:177:35:177:52 | call to RequestURI | provenance | Src:MaD:5 Config |
 | stdlib.go:177:35:177:52 | call to RequestURI | stdlib.go:177:24:177:52 | ...+... | provenance | Config Sink:MaD:1 |
-| stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | provenance | Src:MaD:3 Sink:MaD:1 |
+| stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | provenance | Src:MaD:4 Sink:MaD:1 |
 | stdlib.go:194:3:194:57 | ... := ...[0] | stdlib.go:196:23:196:28 | target | provenance |  |
-| stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:194:3:194:57 | ... := ...[0] | provenance | Src:MaD:3 Config |
+| stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:194:3:194:57 | ... := ...[0] | provenance | Src:MaD:4 Config |
 | stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:196:23:196:28 | target [postupdate] | provenance | Config |
 | stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 |
 | stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:28 | implicit dereference | provenance | Config |
@@ -65,8 +66,8 @@ edges
 | stdlib.go:210:3:210:3 | implicit dereference [postupdate] | stdlib.go:210:3:210:3 | u [postupdate] [pointer] | provenance |  |
 | stdlib.go:210:3:210:3 | u [postupdate] | stdlib.go:212:23:212:23 | u | provenance |  |
 | stdlib.go:210:3:210:3 | u [postupdate] [pointer] | stdlib.go:212:23:212:23 | u [pointer] | provenance |  |
-| stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:210:3:210:3 | implicit dereference [postupdate] | provenance | Src:MaD:3 Config |
-| stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:210:3:210:3 | u [postupdate] | provenance | Src:MaD:3 Config |
+| stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:210:3:210:3 | implicit dereference [postupdate] | provenance | Src:MaD:4 Config |
+| stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:210:3:210:3 | u [postupdate] | provenance | Src:MaD:4 Config |
 | stdlib.go:212:23:212:23 | implicit dereference | stdlib.go:212:23:212:23 | u [postupdate] | provenance | Config |
 | stdlib.go:212:23:212:23 | implicit dereference | stdlib.go:212:23:212:28 | selection of Path | provenance | Config Sink:MaD:1 |
 | stdlib.go:212:23:212:23 | u | stdlib.go:212:23:212:23 | implicit dereference | provenance | Config |
@@ -76,12 +77,14 @@ edges
 | stdlib.go:212:23:212:23 | u [postupdate] | stdlib.go:212:23:212:23 | implicit dereference | provenance | Config |
 | stdlib.go:212:23:212:23 | u [postupdate] | stdlib.go:214:23:214:23 | u | provenance |  |
 | stdlib.go:214:23:214:23 | u | stdlib.go:214:23:214:32 | call to String | provenance | Config Sink:MaD:1 |
+| stdlib.go:226:23:226:43 | selection of Value | stdlib.go:226:23:226:56 | index expression | provenance | Src:MaD:2 Config |
+| stdlib.go:226:23:226:56 | index expression | stdlib.go:226:23:226:59 | index expression | provenance | Config Sink:MaD:1 |
 | stdlib.go:257:3:257:3 | implicit dereference [postupdate] | stdlib.go:257:3:257:3 | u [postupdate] | provenance | Config |
 | stdlib.go:257:3:257:3 | implicit dereference [postupdate] | stdlib.go:257:3:257:3 | u [postupdate] [pointer] | provenance |  |
 | stdlib.go:257:3:257:3 | u [postupdate] | stdlib.go:260:3:260:3 | u | provenance |  |
 | stdlib.go:257:3:257:3 | u [postupdate] [pointer] | stdlib.go:260:3:260:3 | u [pointer] | provenance |  |
-| stdlib.go:257:12:257:30 | call to FormValue | stdlib.go:257:3:257:3 | implicit dereference [postupdate] | provenance | Src:MaD:3 Config |
-| stdlib.go:257:12:257:30 | call to FormValue | stdlib.go:257:3:257:3 | u [postupdate] | provenance | Src:MaD:3 Config |
+| stdlib.go:257:12:257:30 | call to FormValue | stdlib.go:257:3:257:3 | implicit dereference [postupdate] | provenance | Src:MaD:4 Config |
+| stdlib.go:257:12:257:30 | call to FormValue | stdlib.go:257:3:257:3 | u [postupdate] | provenance | Src:MaD:4 Config |
 | stdlib.go:260:3:260:3 | implicit dereference | stdlib.go:260:3:260:3 | u [postupdate] | provenance | Config |
 | stdlib.go:260:3:260:3 | u | stdlib.go:260:3:260:3 | implicit dereference | provenance | Config |
 | stdlib.go:260:3:260:3 | u | stdlib.go:261:23:261:23 | u | provenance |  |
@@ -91,9 +94,10 @@ edges
 | stdlib.go:261:23:261:23 | u | stdlib.go:261:23:261:32 | call to String | provenance | Config Sink:MaD:1 |
 models
 | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual |
-| 2 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
-| 3 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
-| 4 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
+| 2 | Source: mime/multipart; Form; true; Value; ; ; ; remote; manual |
+| 3 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
+| 4 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
+| 5 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
 nodes
 | OpenUrlRedirect.go:10:23:10:28 | selection of Form | semmle.label | selection of Form |
 | OpenUrlRedirect.go:10:23:10:42 | call to Get | semmle.label | call to Get |
@@ -161,6 +165,9 @@ nodes
 | stdlib.go:212:23:212:28 | selection of Path | semmle.label | selection of Path |
 | stdlib.go:214:23:214:23 | u | semmle.label | u |
 | stdlib.go:214:23:214:32 | call to String | semmle.label | call to String |
+| stdlib.go:226:23:226:43 | selection of Value | semmle.label | selection of Value |
+| stdlib.go:226:23:226:56 | index expression | semmle.label | index expression |
+| stdlib.go:226:23:226:59 | index expression | semmle.label | index expression |
 | stdlib.go:257:3:257:3 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
 | stdlib.go:257:3:257:3 | u [postupdate] | semmle.label | u [postupdate] |
 | stdlib.go:257:3:257:3 | u [postupdate] [pointer] | semmle.label | u [postupdate] [pointer] |
@@ -172,3 +179,6 @@ nodes
 | stdlib.go:261:23:261:23 | u | semmle.label | u |
 | stdlib.go:261:23:261:32 | call to String | semmle.label | call to String |
 subpaths
+testFailures
+| stdlib.go:226:23:226:43 | selection of Value | Unexpected result: Alert |
+| stdlib.go:226:23:226:59 | index expression | Unexpected result: Alert |