From 321b3f1ab596eaa06ccd1e8cea82eba8beeecae7 Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esben@semmle.com>
Date: Wed, 30 Jan 2019 10:18:00 +0100
Subject: [PATCH] JS: use ports to sharpen
 js/incomplete-url-substring-sanitization

---
 .../Security/CWE-020/IncompleteUrlSubstringSanitization.ql    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
index 3964bbd86e8..4c8b420583a 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -51,7 +51,7 @@ where
     name = "endsWith" and
     target.regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")
     or
-    // the trailing slash makes the prefix-check safe
+    // the trailing port or slash makes the prefix-check safe
     (
       name = "startsWith"
       or
@@ -61,6 +61,6 @@ where
         n.getIntValue() = 0
       )
     ) and
-    target.regexpMatch(".*/")
+    target.regexpMatch(".*(:[0-9]+|/)")
   )
 select call, "'$@' may be at an arbitrary position in the sanitized URL.", substring, target