Address suggestions from review.

Max Schaefer · Max Schaefer · commit bc9396e0e66b · 2024-03-22T13:19:36.000Z
diff --git a/go/ql/src/Security/CWE-022/TaintedPath.qhelp b/go/ql/src/Security/CWE-022/TaintedPath.qhelp
@@ -72,7 +72,9 @@ that the resulting path is still within it.
 <sample src="TaintedPathGood2.go" />
 <p>
 Note that <code>/home/user</code> is just an example, you should replace it with the actual
-safe directory in your application.
+safe directory in your application. Also, while in this example the path of the safe
+directory is absolute, this may not always be the case, and you may need to resolve it
+first before checking the input.
 </p>
 </example>
 
diff --git a/go/ql/src/Security/CWE-022/TaintedPathGood.go b/go/ql/src/Security/CWE-022/TaintedPathGood.go
@@ -11,6 +11,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	path := r.URL.Query()["path"][0]
 
 	// GOOD: ensure that the filename has no path separators or parent directory references
+	// (Note that this is only suitable if `path` is expected to have a single component!)
 	if strings.Contains(path, "/") || strings.Contains(path, "\\") || strings.Contains(path, "..") {
 		http.Error(w, "Invalid file name", http.StatusBadRequest)
 		return
