Java: adjust BarrierPrefix to handle prepended chars

java/ql/lib/semmle/code/java/security/UrlForward.qll

@@ -71,6 +71,8 @@ private class BarrierPrefix extends InterestingPrefix {
     // Matches strings that look like when prepended to untrusted input, they will restrict
     // the path of a URL: for example, anything containing `?` or `#`.
     exists(this.getStringValue().regexpFind("[?#]", 0, offset))
+    or
+    this.(CharacterLiteral).getValue() = ["?", "#"] and offset = 0
   }
 
   override int getOffset() { result = offset }

java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java

@@ -389,7 +389,7 @@ public class UrlForwardTest extends HttpServlet implements Filter {
 		}
 	}
 
-	// Test `StringBuilder.append` sequence with `?` appended before the user input
+	// GOOD: char `?` appended before the user input
 	private static final String LOGIN_URL = "/UI/Login";
 
 	public void doPost2(HttpServletRequest request, HttpServletResponse response)
@@ -399,14 +399,13 @@ public class UrlForwardTest extends HttpServlet implements Filter {
 
 		String queryString = request.getQueryString();
 
-		// should be sanitized due to the `?` appended
 		forwardUrl.append('?').append(queryString);
 
 		String fUrl = forwardUrl.toString();
 
 		ServletConfig config = getServletConfig();
 
-        RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl); // $ SPURIOUS: hasUrlForward
+        RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl);
         dispatcher.forward(request, response);
 	}
 }