modified comment

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql

@@ -29,6 +29,8 @@ class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) {
     // Exclude the case where the left side of the concatenated string is not `redirect:`.
     // E.g: `String url = "/path?token=" + request.getParameter("token");`
+    // Note this is quite a broad sanitizer (it will also sanitize the right-hand side of `url = "http://" + request.getParameter("token")`);
+    // Consider making this stricter in future.
     exists(AddExpr ae |
       ae.getRightOperand() = node.asExpr() and
       not ae instanceof RedirectBuilderExpr

java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll

@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.spring.SpringController
 
-class StartsWithSanitizer extends DataFlow::BarrierGuard {
+private class StartsWithSanitizer extends DataFlow::BarrierGuard {
   StartsWithSanitizer() {
     this.(MethodAccess).getMethod().hasName("startsWith") and
     this.(MethodAccess).getMethod().getDeclaringType() instanceof TypeString and