From e27947e280fb054367b9812806cfc2996d017e80 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Thu, 2 Apr 2020 02:16:40 -0700
Subject: [PATCH] Add comment for new url concatenation sanitizer

---
 ql/src/semmle/go/security/UrlConcatenation.qll | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ql/src/semmle/go/security/UrlConcatenation.qll b/ql/src/semmle/go/security/UrlConcatenation.qll
index c0ff4ff960c..9415d4a8acf 100644
--- a/ql/src/semmle/go/security/UrlConcatenation.qll
+++ b/ql/src/semmle/go/security/UrlConcatenation.qll
@@ -55,6 +55,8 @@ private predicate concatenationHasHostnameSanitizingSubstring(StringOps::Concate
   exists(StringOps::ConcatenationLeaf lf | lf = cat.getALeaf() |
     lf.getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*")
     or
+    // this deals with cases such as `Sprintf("%s/%s", hostname, taint)`, which should be safe as
+    // long as `hostname` is not user-controlled
     lf.getStringValue() = "/" and
     exists(lf.getPreviousLeaf())
     or