From 9e87f4ec4e1e97baafa7b2677aeb87e8dd7d82e7 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:35:34 +0800
Subject: [PATCH] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.ql             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index df019a7c765..89c0dbd615a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -27,7 +27,8 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof UseOfLessTrustedSink }
 
   /**
-   * When using `,` split request data and not taking the first value of the array, it is considered as `good`.
+   * Splitting a header value by `,` and taking an entry other than the first is sanitizing, because
+   * later entries may originate from more-trustworthy intermediate proxies, not the original client.
    */
   override predicate isSanitizer(DataFlow::Node node) {
     exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |