mrigankpawagi · mrigankpawagi · Jun 28, 2026
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
@@ -57,5 +57,18 @@ query predicate problems(
     // the trailing port or slash makes the prefix-check safe
     check instanceof StringOps::StartsWith and
     target.regexpMatch(".*(:[0-9]+|/)")
+    or
+    // Checks on a parsed URL's host or hostname property are safe,
+    // since the host is already isolated from path/query components.
+    exists(DataFlow::PropRead hostRead |
+      hostRead.getPropertyName() in ["host", "hostname"] and
+      (
+        check.(StringOps::EndsWith).getBaseString().getALocalSource() = hostRead
+        or
+        check.(StringOps::Includes).getBaseString().getALocalSource() = hostRead
+        or
+        check.(StringOps::StartsWith).getBaseString().getALocalSource() = hostRead
+      )
+    )
   )
 }
diff --git a/javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md b/javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The `js/incomplete-url-substring-sanitization` query no longer flags substring checks performed on a parsed URL's `.host` or `.hostname` property (e.g., `new URL(x).host.endsWith("github.com")`), since the hostname is already isolated from path and query components, making such checks safe.