There is a vulnerability in Go url parsing. More on that here: https://www.oxeye.io/blog/golang-parameter-smuggling-attack

In a nutshell, the method Query() ignores the error produced by another function when finding a semicolon when parsing the query.
The solution is to replace usage of query = r.URL.Query() with query, err = url.ParseQuery(r.URL.RawQuery) to avoid ignoring the error produced by finding a semicolon when parsing the query.