From 4e5b17e18d1c6604d02ad8e7e8b95a78aa00ae49 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Thu, 2 Apr 2020 00:58:09 -0700
Subject: [PATCH] Sanitize hostname if there is a slash and a previous
 component

---
 ql/src/semmle/go/security/UrlConcatenation.qll | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ql/src/semmle/go/security/UrlConcatenation.qll b/ql/src/semmle/go/security/UrlConcatenation.qll
index 9c75b3f8279..c0ff4ff960c 100644
--- a/ql/src/semmle/go/security/UrlConcatenation.qll
+++ b/ql/src/semmle/go/security/UrlConcatenation.qll
@@ -55,6 +55,9 @@ private predicate concatenationHasHostnameSanitizingSubstring(StringOps::Concate
   exists(StringOps::ConcatenationLeaf lf | lf = cat.getALeaf() |
     lf.getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*")
     or
+    lf.getStringValue() = "/" and
+    exists(lf.getPreviousLeaf())
+    or
     hasHostnameSanitizingSubstring(lf.asNode())
   )
 }