Go: Mention raw string iterals in QHelp for go/incomplete-hostname-regexp.

Max Schaefer · Max Schaefer · commit d3e0a90ae512 · 2024-03-15T11:22:40.000Z
diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.qhelp b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.qhelp
@@ -41,6 +41,10 @@ domain such as <code>wwwXexample.com</code>.
 Address this vulnerability by escaping <code>.</code> appropriately:
 </p>
 <sample src="IncompleteHostnameRegexpGood.go"/>
+<p>
+You may also want to consider using raw string literals to avoid having to escape backslashes:
+</p>
+<sample src="IncompleteHostnameRegexpGood2.go"/>
 </example>
 
 <references>
diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexpGood2.go b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexpGood2.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"errors"
+	"net/http"
+	"regexp"
+)
+
+func checkRedirectGood(req *http.Request, via []*http.Request) error {
+	// GOOD: the host of `req.URL` must be `example.com`, `www.example.com` or `beta.example.com`
+	re := `^((www|beta)\.)?example\.com/`
+	if matched, _ := regexp.MatchString(re, req.URL.Host); matched {
+		return nil
+	}
+	return errors.New("Invalid redirect")
+}
