Merge pull request #15933 from github/max-schaefer/go-incomplete-hostname-regex

Go: Mention raw string iterals in QHelp for `go/incomplete-hostname-regexp`.

go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.qhelp

@@ -41,6 +41,10 @@ domain such as <code>wwwXexample.com</code>.
 Address this vulnerability by escaping <code>.</code> appropriately:
 </p>
 <sample src="IncompleteHostnameRegexpGood.go"/>
+<p>
+You may also want to consider using raw string literals to avoid having to escape backslashes:
+</p>
+<sample src="IncompleteHostnameRegexpGood2.go"/>
 </example>
 
 <references>

go/ql/src/Security/CWE-020/IncompleteHostnameRegexpGood2.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"errors"
+	"net/http"
+	"regexp"
+)
+
+func checkRedirectGood(req *http.Request, via []*http.Request) error {
+	// GOOD: the host of `req.URL` must be `example.com`, `www.example.com` or `beta.example.com`
+	re := `^((www|beta)\.)?example\.com/`
+	if matched, _ := regexp.MatchString(re, req.URL.Host); matched {
+		return nil
+	}
+	return errors.New("Invalid redirect")
+}