docs: align IDNA digit-fold qhelp/qll/ql with implemented model

Fix several drift issues between the prose and the predicates:

- qhelp now lists the seven Unicode-block ranges that account for the
  100 fold codepoints, replacing the prior "8 families" claim that did
  not match the bullet list. Adds an explicit note that Devanagari
  digits do not fold (verified empirically against
  golang.org/x/net/idna v0.53.0) and that Registration disallows every
  fold codepoint at rune validation.
- qhelp recommendation corrects netip.ParseAddr semantics (parsed via
  err == nil, not via a non-nil return) and rewrites the trim-form
  list to state that TrimSuffix and the manual slice are not
  equivalent to TrimRight for multi-trailing-dot inputs.
- qhelp example caption matches the actual sample, which shows the
  no-recheck shape, not a pre-IDNA ParseIP shape.
- qll module docstring now covers both ToASCII and ToUnicode on the
  digit-folding profiles, lists the actual idna.New(MapForLookup)
  construction shape, and explicitly states that the package-level
  idna.ToASCII helper and the Punycode profile are excluded.
- ql @description and select message reflect that the model covers
  both ToASCII and ToUnicode and that the no-recheck case is the
  primary anti-pattern, not just the pre-IDNA-ParseIP case.

Author: astrogilda

go/ql/src/experimental/CWE-918/IdnaIpLiteralSmuggle.qhelp

@@ -6,22 +6,34 @@
 <overview>
 <p>
 The Go module <code>golang.org/x/net/idna</code> implements UTS-46 IDNA
-processing. During the <code>Lookup</code> and <code>MapForLookup</code>
-profiles, <code>(*Profile).ToASCII</code> applies an NFKC-based character map
-that folds <strong>100 distinct non-ASCII Unicode digit codepoints</strong>
-across 8 families to their ASCII equivalents. The 8 families are:
+processing. On the <code>Lookup</code> and <code>Display</code> profiles
+(and any profile constructed via <code>idna.New(idna.MapForLookup(), ...)</code>),
+both <code>(*Profile).ToASCII</code> and <code>(*Profile).ToUnicode</code>
+apply an NFKC-based character map that folds <strong>100 distinct
+non-ASCII Unicode digit codepoints</strong> to their ASCII equivalents.
+The 100 codepoints partition into the following Unicode-block ranges:
 </p>
 <ul>
   <li>Latin-1 superscripts (U+00B2, U+00B3, U+00B9): 3 codepoints</li>
   <li>Mathematical superscripts (U+2070, U+2074..U+2079): 7 codepoints</li>
   <li>Mathematical subscripts (U+2080..U+2089): 10 codepoints</li>
   <li>Circled digits (U+2460..U+2468, U+24EA): 10 codepoints</li>
   <li>Fullwidth digits (U+FF10..U+FF19): 10 codepoints</li>
-  <li>Mathematical bold, sans-serif, double-struck, and monospace digits
+  <li>Mathematical Alphanumeric Symbols digits, spanning bold,
+      double-struck, sans-serif, sans-serif-bold, and monospace styles
       (U+1D7CE..U+1D7FF): 50 codepoints</li>
   <li>Segmented digits (U+1FBF0..U+1FBF9): 10 codepoints</li>
 </ul>
 <p>
+Devanagari digits (U+0966..U+096F) are <strong>not</strong> in scope:
+empirical testing against <code>golang.org/x/net/idna v0.53.0</code>
+confirms they do not fold to ASCII via UTS-46. The
+<code>Registration</code> profile is structurally covered by the rule
+but disallows every fold codepoint at the rune-validation stage, so a
+caller that respects the returned <code>error</code> never sees a
+smuggled literal from that profile in practice.
+</p>
+<p>
 The library contains no IP-literal detection. A caller that applies UTS-46
 mapping to an attacker-controlled host string and consumes the result in a
 network sink without rechecking against IP-literal parsers receives a
@@ -57,48 +69,59 @@ Use a strict IDNA profile option that returns an error if the mapped
 output parses as an IP literal, if your IDNA library exposes one.
 </li>
 <li>
-Apply the explicit safe pattern: after <code>idna.ToASCII</code>, trim a
-single trailing dot and call <code>net.ParseIP</code> (or
-<code>netip.ParseAddr</code>) on the result, then reject on non-nil. The
-trailing-dot trim is required because <code>"0.¹.0.0."</code> maps to
-<code>"0.1.0.0."</code>, which <code>net.ParseIP</code> rejects on its
-own yet is still an IP literal for routing purposes.
+Apply the explicit safe pattern: after the IDNA mapping call, strip
+trailing dots from the result and parse it. Reject if
+<code>net.ParseIP</code> returns a non-<code>nil</code> address, or if
+<code>netip.ParseAddr</code> returns no error (note the inverted
+convention: <code>netip.ParseAddr</code> reports a successfully parsed
+address via <code>err == nil</code>, not via a non-zero return). The
+trailing-dot strip is required because <code>"0.¹.0.0."</code> maps to
+<code>"0.1.0.0."</code>, which a bare <code>net.ParseIP</code> rejects
+on its own yet is still an IP literal for routing purposes; the strip
+exposes the literal so the parser sees it.
 </li>
 </ol>
 </recommendation>
 
 <example>
 <p>
-Vulnerable pattern. <code>net.ParseIP</code> is called only before
-<code>idna.ToASCII</code>, so the smuggled literal slips through:
+Vulnerable pattern. The host string is mapped through the IDNA profile
+and reaches a network sink with no post-IDNA IP-literal recheck:
 </p>
 
 <sample src="IdnaIpLiteralSmuggleBad.go"/>
 
 <p>
-Safe pattern. Post-IDNA trailing-dot trim followed by
+Safe pattern. Post-IDNA trailing-dot strip followed by
 <code>net.ParseIP</code> recheck:
 </p>
 
 <sample src="IdnaIpLiteralSmuggleGood.go"/>
 
 <p>
-The safe pattern accepts three equivalent trailing-dot trim forms:
+The safe pattern accepts three trailing-dot strip forms. They are
+<strong>not</strong> equivalent in coverage:
 </p>
 <ul>
-  <li><code>strings.TrimRight(ace, ".")</code>: multi-dot form. Handles
-      the fullwidth and ideographic dot variants that produce multiple
-      trailing ASCII dots after UTS-46 mapping.</li>
-  <li><code>strings.TrimSuffix(ace, ".")</code>: single-dot form.
-      Sufficient for most inputs but incomplete for the multi-dot
-      variant.</li>
+  <li><code>strings.TrimRight(ace, ".")</code>: strict form. Strips
+      all trailing dots, so the multi-dot residue produced when UTS-46
+      maps the fullwidth dot U+FF0E or the ideographic dot U+3002 next
+      to ASCII dots is fully removed.</li>
+  <li><code>strings.TrimSuffix(ace, ".")</code>: lenient form. Strips
+      only one trailing dot. Sufficient for the canonical
+      <code>"0.1.0.0."</code> shape but leaves residue if multiple
+      trailing dots were produced by mapping.</li>
   <li><code>if strings.HasSuffix(ace, ".") { ace = ace[:len(ace)-1] }</code>:
-      manual slice form. Equivalent to <code>TrimSuffix</code> in
-      effect.</li>
+      manual single-dot slice. Behaves identically to
+      <code>TrimSuffix</code> in coverage and inherits the same
+      multi-dot-residue limitation.</li>
 </ul>
 <p>
-After trimming, call <code>netip.ParseAddr</code> (preferred) or
-<code>net.ParseIP</code> on the result and reject if it parses as an IP literal.
+Callers whose threat model includes the multi-trailing-dot variant
+should prefer <code>strings.TrimRight</code>. After the strip, parse
+with <code>netip.ParseAddr</code> (preferred) or <code>net.ParseIP</code>
+and reject if the value parses as an IP literal (<code>err == nil</code>
+for the former, non-<code>nil</code> return for the latter).
 </p>
 </example>
 

go/ql/src/experimental/CWE-918/IdnaIpLiteralSmuggle.ql

@@ -1,14 +1,16 @@
 /**
  * @name IDNA digit-fold IP-literal smuggling via UTS-46 NFKC mapping
- * @description An untrusted hostname flows through `golang.org/x/net/idna`
- *              mapping (which folds 100 non-ASCII Unicode digit codepoints to
- *              ASCII via UTS-46 NFKC) and reaches a security-relevant
- *              hostname sink without a post-IDNA IP-literal recheck. A
- *              caller that calls `net.ParseIP` only BEFORE `idna.ToASCII`
- *              will accept a smuggled IPv4 literal such as `"0.¹.0.0"`
- *              (which maps to `"0.1.0.0"`). Scope is IPv4 only because
- *              IPv6 colons are rejected by IDNA rune-validation before
- *              UTS-46 mapping runs.
+ * @description An untrusted hostname flows through
+ *              `(*golang.org/x/net/idna.Profile).ToASCII` or `.ToUnicode`
+ *              on a digit-folding profile (which folds 100 non-ASCII
+ *              Unicode digit codepoints to ASCII via UTS-46 NFKC) and
+ *              reaches a security-relevant hostname sink without a
+ *              post-IDNA IP-literal recheck. A caller that omits the
+ *              recheck (or only runs `net.ParseIP` BEFORE the mapping
+ *              call) will accept a smuggled IPv4 literal such as
+ *              `"0.¹.0.0"` (which maps to `"0.1.0.0"`). Scope is IPv4
+ *              only because IPv6 colons are rejected by IDNA
+ *              rune-validation before UTS-46 mapping runs.
  * @id go/idna-ip-literal-smuggle
  * @kind path-problem
  * @problem.severity warning
@@ -30,5 +32,5 @@ from
   Flow::PathNode sink
 where Flow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Untrusted hostname from $@ flows through `idna.ToASCII` (which performs UTS-46 NFKC digit folding) and reaches this hostname sink without a post-IDNA `net.ParseIP` recheck (after a trailing-dot trim).",
+  "Untrusted hostname from $@ flows through a `golang.org/x/net/idna` mapping call (which performs UTS-46 NFKC digit folding) and reaches this hostname sink without a post-IDNA `net.ParseIP` (or `netip.ParseAddr`) recheck on the trailing-dot-stripped value.",
   source.getNode(), "this user-controlled value"

go/ql/src/experimental/CWE-918/IdnaIpLiteralSmuggle.qll

@@ -5,18 +5,19 @@
  * Background
  * ----------
  * `golang.org/x/net/idna` applies UTS-46 NFKC mapping inside
- * `(*Profile).ToASCII`, which folds 100 non-ASCII Unicode digit codepoints
- * to their ASCII equivalents. The 100 codepoints span 8 families: Latin-1
- * superscripts, mathematical superscripts and subscripts, circled digits,
- * fullwidth digits, mathematical bold and sans-serif and double-struck
- * and monospace digits, and segmented digits. A caller that runs
- * `net.ParseIP` BEFORE `idna.ToASCII` will reject non-ASCII inputs as
- * non-IP, pass them to the IDNA library, and then receive a valid ASCII
- * IPv4 literal back as the "domain name" output. The post-IDNA result
- * silently bypasses any downstream IP-literal guard because the caller
- * never re-checks. Scope is IPv4 only. IPv6 colons are rejected by IDNA
- * rune-validation before UTS-46 mapping runs, so no IPv6 smuggle path
- * exists.
+ * `(*Profile).ToASCII` and `(*Profile).ToUnicode`, which fold 100
+ * non-ASCII Unicode digit codepoints to their ASCII equivalents. The
+ * 100 codepoints span Latin-1 superscripts, mathematical superscripts
+ * and subscripts, circled digits, fullwidth digits, the Mathematical
+ * Alphanumeric Symbols block (bold, double-struck, sans-serif,
+ * sans-serif-bold, and monospace digit styles), and segmented digits.
+ * Devanagari digits are not in scope; they pass through Punycode rather
+ * than fold to ASCII. A caller that omits a post-IDNA IP-literal
+ * recheck (or that only checks BEFORE the IDNA call) will accept a
+ * smuggled IPv4 literal back as the "domain name" output and pass it
+ * to a downstream allowlist, SSRF guard, or routing decision unguarded.
+ * Scope is IPv4 only. IPv6 colons are rejected by IDNA rune-validation
+ * before UTS-46 mapping runs, so no IPv6 smuggle path exists.
  *
  * Modeling
  * --------
@@ -28,10 +29,15 @@
  *   - `TPreIdna`  : untrusted hostname before IDNA mapping
  *   - `TPostIdna` : mapped output flowing toward a security-relevant sink
  *
- * `(*idna.Profile).ToASCII` (and the package-level `idna.ToASCII`,
- * `Lookup.ToASCII`, `MapForLookup().ToASCII`) is modeled as a
- * state-transition additional flow step that flips
- * `TPreIdna -> TPostIdna`.
+ * `(*idna.Profile).ToASCII` and `(*idna.Profile).ToUnicode` on the
+ * digit-folding profiles (`Lookup`, `Display`, `Registration`, and any
+ * profile constructed via `idna.New(idna.MapForLookup(), ...)`) are
+ * modeled as state-transition additional flow steps that flip
+ * `TPreIdna -> TPostIdna`. The package-level `idna.ToASCII` helper is
+ * intentionally NOT modeled because it dispatches to
+ * `Punycode.process(...)`, which has a nil UTS-46 mapping and so
+ * cannot produce the digit-fold smuggle. The `Punycode` profile is
+ * excluded for the same reason.
  *
  * The barrier is `net.ParseIP`, `net.ParseCIDR`, `netip.ParseAddr`, or
  * `netip.ParsePrefix` consumed in `TPostIdna`. The safe pattern requires