Java SSRF query: comment on sanitizing regex

Author: smowton

java/ql/src/semmle/code/java/security/RequestForgery.qll

@@ -222,6 +222,10 @@ private class HostnameSanitizingPrefix extends CompileTimeConstantExpr {
   int offset;
 
   HostnameSanitizingPrefix() {
+    // Matches strings that look like when prepended to untrusted input, they will restrict
+    // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
+    // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
+    // the string "/".
     exists(
       this.getStringValue()
           .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)