From b25e8671b931e5c33e6f818dcda5dc102d2ea434 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 19 Apr 2021 16:33:29 +0100
Subject: [PATCH] Java SSRF query: comment on sanitizing regex

---
 java/ql/src/semmle/code/java/security/RequestForgery.qll | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/ql/src/semmle/code/java/security/RequestForgery.qll b/java/ql/src/semmle/code/java/security/RequestForgery.qll
index 1ff2a58b7a0..c57fb0b33cb 100644
--- a/java/ql/src/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/src/semmle/code/java/security/RequestForgery.qll
@@ -222,6 +222,10 @@ private class HostnameSanitizingPrefix extends CompileTimeConstantExpr {
   int offset;
 
   HostnameSanitizingPrefix() {
+    // Matches strings that look like when prepended to untrusted input, they will restrict
+    // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
+    // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
+    // the string "/".
     exists(
       this.getStringValue()
           .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)