diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
index 1b1553da7eb..452c0337f02 100644
--- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
@@ -252,8 +252,10 @@
 | SanitizationTests.java:120:25:120:32 | unsafer9 | SanitizationTests.java:118:33:118:63 | getParameter(...) : String | SanitizationTests.java:120:25:120:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:118:33:118:63 | getParameter(...) | user-provided value |
 | SanitizationTests.java:123:60:123:79 | new URI(...) | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:123:60:123:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value |
 | SanitizationTests.java:124:25:124:33 | unsafer10 | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:124:25:124:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value |
-| SanitizationTests.java:175:54:175:113 | new URI(...) | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value |
-| SanitizationTests.java:176:25:176:27 | r18 | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:176:25:176:27 | r18 | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value |
+| SanitizationTests.java:150:59:150:83 | new URI(...) | SanitizationTests.java:145:30:145:58 | getParameter(...) : String | SanitizationTests.java:150:59:150:83 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:145:30:145:58 | getParameter(...) | user-provided value |
+| SanitizationTests.java:151:29:151:32 | r13b | SanitizationTests.java:145:30:145:58 | getParameter(...) : String | SanitizationTests.java:151:29:151:32 | r13b | Potential server-side request forgery due to a $@. | SanitizationTests.java:145:30:145:58 | getParameter(...) | user-provided value |
+| SanitizationTests.java:177:54:177:113 | new URI(...) | SanitizationTests.java:177:82:177:110 | getParameter(...) : String | SanitizationTests.java:177:54:177:113 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:177:82:177:110 | getParameter(...) | user-provided value |
+| SanitizationTests.java:178:25:178:27 | r18 | SanitizationTests.java:177:82:177:110 | getParameter(...) : String | SanitizationTests.java:178:25:178:27 | r18 | Potential server-side request forgery due to a $@. | SanitizationTests.java:177:82:177:110 | getParameter(...) | user-provided value |
 | SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
 | SpringSSRF.java:33:69:33:82 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
 | SpringSSRF.java:34:73:34:86 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
@@ -405,11 +407,11 @@ edges
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | Config |
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | MaD:285 |
 | ApacheHttpSSRF.java:42:62:42:64 | uri : URI | ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | provenance | MaD:286 |
-| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:295 Sink:MaD:231 |
+| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:297 Sink:MaD:231 |
 | ApacheHttpSSRF.java:43:41:43:43 | uri : URI | ApacheHttpSSRF.java:43:41:43:54 | toString(...) | provenance | MaD:286 Sink:MaD:232 |
 | ApacheHttpSSRF.java:44:41:44:43 | uri : URI | ApacheHttpSSRF.java:44:41:44:54 | toString(...) | provenance | MaD:286 Sink:MaD:233 |
 | ApacheHttpSSRF.java:46:77:46:79 | uri : URI | ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | provenance | MaD:286 |
-| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:295 Sink:MaD:228 |
+| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:297 Sink:MaD:228 |
 | ApacheHttpSSRF.java:47:56:47:58 | uri : URI | ApacheHttpSSRF.java:47:56:47:69 | toString(...) | provenance | MaD:286 Sink:MaD:229 |
 | ApacheHttpSSRF.java:48:56:48:58 | uri : URI | ApacheHttpSSRF.java:48:56:48:69 | toString(...) | provenance | MaD:286 Sink:MaD:230 |
 | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | provenance | Src:MaD:277  |
@@ -503,7 +505,7 @@ edges
 | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:132:36:132:39 | host | provenance | Sink:MaD:100 |
 | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:136:38:136:41 | host | provenance | Sink:MaD:103 |
 | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:162:52:162:55 | host | provenance | Sink:MaD:204 |
-| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 |
+| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | provenance | MaD:296 |
 | ApacheHttpSSRFVersion5.java:49:54:49:56 | uri : URI | ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | provenance | MaD:286 Sink:MaD:39 |
 | ApacheHttpSSRFVersion5.java:51:48:51:50 | uri : URI | ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | provenance | MaD:286 Sink:MaD:41 |
 | ApacheHttpSSRFVersion5.java:55:38:55:40 | uri : URI | ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | provenance | MaD:286 Sink:MaD:44 |
@@ -633,7 +635,7 @@ edges
 | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | provenance | Src:MaD:277  |
 | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:303:34:303:37 | host | provenance | Sink:MaD:178 |
 | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:304:34:304:37 | host | provenance | Sink:MaD:179 |
-| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 |
+| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | provenance | MaD:296 |
 | ApacheHttpSSRFVersion5.java:308:60:308:62 | uri : URI | ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | provenance | MaD:286 Sink:MaD:208 |
 | ApacheHttpSSRFVersion5.java:313:53:313:55 | uri : URI | ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | provenance | MaD:286 Sink:MaD:208 |
 | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | provenance | Src:MaD:277  |
@@ -659,7 +661,7 @@ edges
 | ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | provenance | MaD:285 |
 | ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | provenance | Src:MaD:277  |
 | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:354:53:354:56 | host | provenance | Sink:MaD:204 |
-| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 |
+| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | provenance | MaD:296 |
 | ApacheHttpSSRFVersion5.java:333:42:333:44 | uri : URI | ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | provenance | MaD:286 Sink:MaD:180 |
 | ApacheHttpSSRFVersion5.java:336:39:336:41 | uri : URI | ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | provenance | MaD:286 Sink:MaD:182 |
 | ApacheHttpSSRFVersion5.java:339:40:339:42 | uri : URI | ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | provenance | MaD:286 Sink:MaD:184 |
@@ -683,7 +685,7 @@ edges
 | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:381:51:381:54 | host | provenance | Sink:MaD:198 |
 | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:385:50:385:53 | host | provenance | Sink:MaD:200 |
 | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:387:44:387:47 | host | provenance | Sink:MaD:202 |
-| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 |
+| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | provenance | MaD:296 |
 | JakartaWsSSRF.java:14:22:14:48 | getParameter(...) : String | JakartaWsSSRF.java:15:23:15:25 | url | provenance | Src:MaD:277 Sink:MaD:3 |
 | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:26:31:26:34 | sink : String | provenance | Src:MaD:277  |
 | JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | JavaNetHttpSSRF.java:39:59:39:61 | uri | provenance | Sink:MaD:6 |
@@ -710,7 +712,7 @@ edges
 | JdbcUrlSSRF.java:52:9:52:13 | props : Properties | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 |
 | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [<map.value>] : String | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 |
 | JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props : Properties | provenance | Config |
-| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [<map.value>] : String | provenance | MaD:293 |
+| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [<map.value>] : String | provenance | MaD:295 |
 | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:257 |
 | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:258 |
 | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:260 |
@@ -835,18 +837,29 @@ edges
 | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
 | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | Config |
 | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | MaD:285 |
-| SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | provenance | MaD:283 |
-| SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | SanitizationTests.java:176:25:176:27 | r18 | provenance | Sink:MaD:4 |
-| SanitizationTests.java:175:54:175:113 | new URI(...) : URI | SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | provenance | MaD:284 |
-| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | provenance | Config Sink:MaD:6 |
-| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
-| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) : URI | provenance | Config |
-| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) : URI | provenance | MaD:285 |
-| SanitizationTests.java:175:74:175:111 | of(...) : List [<element>] : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String | provenance | MaD:290 |
-| SanitizationTests.java:175:74:175:111 | of(...) : List [<element>] : String | SanitizationTests.java:197:31:197:112 | list : List [<element>] : String | provenance |  |
-| SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:74:175:111 | of(...) : List [<element>] : String | provenance | Src:MaD:277 MaD:289 |
-| SanitizationTests.java:197:31:197:112 | list : List [<element>] : String | SanitizationTests.java:198:16:198:19 | list : List [<element>] : String | provenance |  |
-| SanitizationTests.java:198:16:198:19 | list : List [<element>] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | provenance | MaD:290 |
+| SanitizationTests.java:145:30:145:58 | getParameter(...) : String | SanitizationTests.java:146:47:146:53 | param13 : String | provenance | Src:MaD:277  |
+| SanitizationTests.java:146:31:146:54 | matcher(...) : Matcher | SanitizationTests.java:150:67:150:73 | matcher : Matcher | provenance |  |
+| SanitizationTests.java:146:47:146:53 | param13 : String | SanitizationTests.java:146:31:146:54 | matcher(...) : Matcher | provenance | MaD:290 |
+| SanitizationTests.java:150:36:150:84 | newBuilder(...) : Builder | SanitizationTests.java:150:36:150:92 | build(...) : HttpRequest | provenance | MaD:283 |
+| SanitizationTests.java:150:36:150:92 | build(...) : HttpRequest | SanitizationTests.java:151:29:151:32 | r13b | provenance | Sink:MaD:4 |
+| SanitizationTests.java:150:59:150:83 | new URI(...) : URI | SanitizationTests.java:150:36:150:84 | newBuilder(...) : Builder | provenance | MaD:284 |
+| SanitizationTests.java:150:67:150:73 | matcher : Matcher | SanitizationTests.java:150:67:150:82 | group(...) : String | provenance | MaD:289 |
+| SanitizationTests.java:150:67:150:82 | group(...) : String | SanitizationTests.java:150:59:150:83 | new URI(...) | provenance | Config Sink:MaD:6 |
+| SanitizationTests.java:150:67:150:82 | group(...) : String | SanitizationTests.java:150:59:150:83 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
+| SanitizationTests.java:150:67:150:82 | group(...) : String | SanitizationTests.java:150:59:150:83 | new URI(...) : URI | provenance | Config |
+| SanitizationTests.java:150:67:150:82 | group(...) : String | SanitizationTests.java:150:59:150:83 | new URI(...) : URI | provenance | MaD:285 |
+| SanitizationTests.java:177:31:177:114 | newBuilder(...) : Builder | SanitizationTests.java:177:31:177:122 | build(...) : HttpRequest | provenance | MaD:283 |
+| SanitizationTests.java:177:31:177:122 | build(...) : HttpRequest | SanitizationTests.java:178:25:178:27 | r18 | provenance | Sink:MaD:4 |
+| SanitizationTests.java:177:54:177:113 | new URI(...) : URI | SanitizationTests.java:177:31:177:114 | newBuilder(...) : Builder | provenance | MaD:284 |
+| SanitizationTests.java:177:62:177:112 | getFromList(...) : String | SanitizationTests.java:177:54:177:113 | new URI(...) | provenance | Config Sink:MaD:6 |
+| SanitizationTests.java:177:62:177:112 | getFromList(...) : String | SanitizationTests.java:177:54:177:113 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
+| SanitizationTests.java:177:62:177:112 | getFromList(...) : String | SanitizationTests.java:177:54:177:113 | new URI(...) : URI | provenance | Config |
+| SanitizationTests.java:177:62:177:112 | getFromList(...) : String | SanitizationTests.java:177:54:177:113 | new URI(...) : URI | provenance | MaD:285 |
+| SanitizationTests.java:177:74:177:111 | of(...) : List [<element>] : String | SanitizationTests.java:177:62:177:112 | getFromList(...) : String | provenance | MaD:292 |
+| SanitizationTests.java:177:74:177:111 | of(...) : List [<element>] : String | SanitizationTests.java:199:31:199:112 | list : List [<element>] : String | provenance |  |
+| SanitizationTests.java:177:82:177:110 | getParameter(...) : String | SanitizationTests.java:177:74:177:111 | of(...) : List [<element>] : String | provenance | Src:MaD:277 MaD:291 |
+| SanitizationTests.java:199:31:199:112 | list : List [<element>] : String | SanitizationTests.java:200:16:200:19 | list : List [<element>] : String | provenance |  |
+| SanitizationTests.java:200:16:200:19 | list : List [<element>] : String | SanitizationTests.java:200:16:200:26 | get(...) : String | provenance | MaD:292 |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | provenance | Src:MaD:277  |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | provenance | Src:MaD:277  |
@@ -878,16 +891,16 @@ edges
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | provenance | Src:MaD:277  |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | provenance | Src:MaD:277  |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | provenance | Src:MaD:277  |
-| SpringSSRF.java:38:83:38:96 | fooResourceUrl : String | SpringSSRF.java:38:69:38:97 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:40:105:40:118 | fooResourceUrl : String | SpringSSRF.java:40:69:40:119 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:49:105:49:118 | fooResourceUrl : String | SpringSSRF.java:49:91:49:119 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:51:127:51:140 | fooResourceUrl : String | SpringSSRF.java:51:91:51:141 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:60:93:60:106 | fooResourceUrl : String | SpringSSRF.java:60:79:60:107 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:62:115:62:128 | fooResourceUrl : String | SpringSSRF.java:62:79:62:129 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:71:83:71:96 | fooResourceUrl : String | SpringSSRF.java:71:69:71:97 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:73:105:73:118 | fooResourceUrl : String | SpringSSRF.java:73:69:73:119 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | SpringSSRF.java:82:93:82:121 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | SpringSSRF.java:84:93:84:143 | of(...) | provenance | MaD:292 |
+| SpringSSRF.java:38:83:38:96 | fooResourceUrl : String | SpringSSRF.java:38:69:38:97 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:40:105:40:118 | fooResourceUrl : String | SpringSSRF.java:40:69:40:119 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:49:105:49:118 | fooResourceUrl : String | SpringSSRF.java:49:91:49:119 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:51:127:51:140 | fooResourceUrl : String | SpringSSRF.java:51:91:51:141 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:60:93:60:106 | fooResourceUrl : String | SpringSSRF.java:60:79:60:107 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:62:115:62:128 | fooResourceUrl : String | SpringSSRF.java:62:79:62:129 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:71:83:71:96 | fooResourceUrl : String | SpringSSRF.java:71:69:71:97 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:73:105:73:118 | fooResourceUrl : String | SpringSSRF.java:73:69:73:119 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | SpringSSRF.java:82:93:82:121 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | SpringSSRF.java:84:93:84:143 | of(...) | provenance | MaD:294 |
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:87:40:87:62 | new URI(...) | provenance | Config Sink:MaD:269 |
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:87:40:87:62 | new URI(...) | provenance | MaD:285 Sink:MaD:269 |
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:88:92:88:105 | fooResourceUrl | provenance |  |
@@ -932,20 +945,20 @@ edges
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | provenance |  |
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | provenance |  |
 | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:166:35:166:48 | fooResourceUrl : String | provenance |  |
-| SpringSSRF.java:93:106:93:119 | fooResourceUrl : String | SpringSSRF.java:93:92:93:120 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:95:128:95:141 | fooResourceUrl : String | SpringSSRF.java:95:92:95:142 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:104:94:104:107 | fooResourceUrl : String | SpringSSRF.java:104:80:104:108 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:106:116:106:129 | fooResourceUrl : String | SpringSSRF.java:106:80:106:130 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:115:106:115:119 | fooResourceUrl : String | SpringSSRF.java:115:92:115:120 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:117:128:117:141 | fooResourceUrl : String | SpringSSRF.java:117:92:117:142 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:126:82:126:95 | fooResourceUrl : String | SpringSSRF.java:126:68:126:96 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:128:104:128:117 | fooResourceUrl : String | SpringSSRF.java:128:68:128:118 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:137:63:137:76 | fooResourceUrl : String | SpringSSRF.java:137:49:137:77 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:139:85:139:98 | fooResourceUrl : String | SpringSSRF.java:139:49:139:99 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:148:71:148:84 | fooResourceUrl : String | SpringSSRF.java:148:57:148:85 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:150:93:150:106 | fooResourceUrl : String | SpringSSRF.java:150:57:150:107 | of(...) | provenance | MaD:292 |
-| SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | SpringSSRF.java:159:58:159:86 | of(...) | provenance | MaD:291 |
-| SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | SpringSSRF.java:161:58:161:108 | of(...) | provenance | MaD:292 |
+| SpringSSRF.java:93:106:93:119 | fooResourceUrl : String | SpringSSRF.java:93:92:93:120 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:95:128:95:141 | fooResourceUrl : String | SpringSSRF.java:95:92:95:142 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:104:94:104:107 | fooResourceUrl : String | SpringSSRF.java:104:80:104:108 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:106:116:106:129 | fooResourceUrl : String | SpringSSRF.java:106:80:106:130 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:115:106:115:119 | fooResourceUrl : String | SpringSSRF.java:115:92:115:120 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:117:128:117:141 | fooResourceUrl : String | SpringSSRF.java:117:92:117:142 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:126:82:126:95 | fooResourceUrl : String | SpringSSRF.java:126:68:126:96 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:128:104:128:117 | fooResourceUrl : String | SpringSSRF.java:128:68:128:118 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:137:63:137:76 | fooResourceUrl : String | SpringSSRF.java:137:49:137:77 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:139:85:139:98 | fooResourceUrl : String | SpringSSRF.java:139:49:139:99 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:148:71:148:84 | fooResourceUrl : String | SpringSSRF.java:148:57:148:85 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:150:93:150:106 | fooResourceUrl : String | SpringSSRF.java:150:57:150:107 | of(...) | provenance | MaD:294 |
+| SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | SpringSSRF.java:159:58:159:86 | of(...) | provenance | MaD:293 |
+| SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | SpringSSRF.java:161:58:161:108 | of(...) | provenance | MaD:294 |
 | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:168:44:168:46 | uri | provenance | Sink:MaD:255 |
 | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:170:35:170:37 | uri | provenance | Sink:MaD:250 |
 | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:171:35:171:37 | uri | provenance | Sink:MaD:256 |
@@ -1366,13 +1379,15 @@ models
 | 286 | Summary: java.net; URI; false; toString; ; ; Argument[this]; ReturnValue; taint; manual |
 | 287 | Summary: java.net; URI; false; toURL; ; ; Argument[this]; ReturnValue; taint; manual |
 | 288 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual |
-| 289 | Summary: java.util; List; false; of; (Object); ; Argument[0]; ReturnValue.Element; value; manual |
-| 290 | Summary: java.util; List; true; get; (int); ; Argument[this].Element; ReturnValue; value; manual |
-| 291 | Summary: java.util; Map; false; of; ; ; Argument[1]; ReturnValue.MapValue; value; manual |
-| 292 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual |
-| 293 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual |
-| 294 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
-| 295 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
+| 289 | Summary: java.util.regex; Matcher; false; group; ; ; Argument[this]; ReturnValue; taint; manual |
+| 290 | Summary: java.util.regex; Pattern; false; matcher; ; ; Argument[0]; ReturnValue; taint; manual |
+| 291 | Summary: java.util; List; false; of; (Object); ; Argument[0]; ReturnValue.Element; value; manual |
+| 292 | Summary: java.util; List; true; get; (int); ; Argument[this].Element; ReturnValue; value; manual |
+| 293 | Summary: java.util; Map; false; of; ; ; Argument[1]; ReturnValue.MapValue; value; manual |
+| 294 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual |
+| 295 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual |
+| 296 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
+| 297 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
 nodes
 | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
@@ -1831,17 +1846,27 @@ nodes
 | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String |
 | SanitizationTests.java:124:25:124:33 | unsafer10 | semmle.label | unsafer10 |
-| SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
-| SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
-| SanitizationTests.java:175:54:175:113 | new URI(...) | semmle.label | new URI(...) |
-| SanitizationTests.java:175:54:175:113 | new URI(...) : URI | semmle.label | new URI(...) : URI |
-| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | semmle.label | getFromList(...) : String |
-| SanitizationTests.java:175:74:175:111 | of(...) : List [<element>] : String | semmle.label | of(...) : List [<element>] : String |
-| SanitizationTests.java:175:82:175:110 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| SanitizationTests.java:176:25:176:27 | r18 | semmle.label | r18 |
-| SanitizationTests.java:197:31:197:112 | list : List [<element>] : String | semmle.label | list : List [<element>] : String |
-| SanitizationTests.java:198:16:198:19 | list : List [<element>] : String | semmle.label | list : List [<element>] : String |
-| SanitizationTests.java:198:16:198:26 | get(...) : String | semmle.label | get(...) : String |
+| SanitizationTests.java:145:30:145:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SanitizationTests.java:146:31:146:54 | matcher(...) : Matcher | semmle.label | matcher(...) : Matcher |
+| SanitizationTests.java:146:47:146:53 | param13 : String | semmle.label | param13 : String |
+| SanitizationTests.java:150:36:150:84 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
+| SanitizationTests.java:150:36:150:92 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
+| SanitizationTests.java:150:59:150:83 | new URI(...) | semmle.label | new URI(...) |
+| SanitizationTests.java:150:59:150:83 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| SanitizationTests.java:150:67:150:73 | matcher : Matcher | semmle.label | matcher : Matcher |
+| SanitizationTests.java:150:67:150:82 | group(...) : String | semmle.label | group(...) : String |
+| SanitizationTests.java:151:29:151:32 | r13b | semmle.label | r13b |
+| SanitizationTests.java:177:31:177:114 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
+| SanitizationTests.java:177:31:177:122 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
+| SanitizationTests.java:177:54:177:113 | new URI(...) | semmle.label | new URI(...) |
+| SanitizationTests.java:177:54:177:113 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| SanitizationTests.java:177:62:177:112 | getFromList(...) : String | semmle.label | getFromList(...) : String |
+| SanitizationTests.java:177:74:177:111 | of(...) : List [<element>] : String | semmle.label | of(...) : List [<element>] : String |
+| SanitizationTests.java:177:82:177:110 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SanitizationTests.java:178:25:178:27 | r18 | semmle.label | r18 |
+| SanitizationTests.java:199:31:199:112 | list : List [<element>] : String | semmle.label | list : List [<element>] : String |
+| SanitizationTests.java:200:16:200:19 | list : List [<element>] : String | semmle.label | list : List [<element>] : String |
+| SanitizationTests.java:200:16:200:26 | get(...) : String | semmle.label | get(...) : String |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... |
 | SpringSSRF.java:33:69:33:82 | fooResourceUrl | semmle.label | fooResourceUrl |
@@ -2062,4 +2087,4 @@ nodes
 | mad/Test.java:112:15:112:31 | (...)... | semmle.label | (...)... |
 | mad/Test.java:112:24:112:31 | source(...) : String | semmle.label | source(...) : String |
 subpaths
-| SanitizationTests.java:175:74:175:111 | of(...) : List [<element>] : String | SanitizationTests.java:197:31:197:112 | list : List [<element>] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String |
+| SanitizationTests.java:177:74:177:111 | of(...) : List [<element>] : String | SanitizationTests.java:199:31:199:112 | list : List [<element>] : String | SanitizationTests.java:200:16:200:26 | get(...) : String | SanitizationTests.java:177:62:177:112 | getFromList(...) : String |
diff --git a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
index 16787508659..55049c834e7 100644
--- a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
+++ b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
@@ -141,12 +141,14 @@ public class SanitizationTests extends HttpServlet {
                 client.send(r12, null);
             }
 
-            Pattern pattern = Pattern.compile("[a-zA-Z0-9_-]+");
-            String param13 = request.getParameter("uri13");
+            Pattern pattern = Pattern.compile("([a-zA-Z0-9_-]+)");
+            String param13 = request.getParameter("uri13"); // $ SPURIOUS: Source
             Matcher matcher = pattern.matcher(param13);
             if (matcher.matches()) {
-                HttpRequest r13 = HttpRequest.newBuilder(new URI(param13)).build();
-                client.send(r13, null);
+                HttpRequest r13a = HttpRequest.newBuilder(new URI(param13)).build();
+                client.send(r13a, null);
+                HttpRequest r13b = HttpRequest.newBuilder(new URI(matcher.group(1))).build(); // $ SPURIOUS: Alert
+                client.send(r13b, null); // $ SPURIOUS: Alert
             }
 
             // GOOD: sanitisation by @Pattern annotation on a field