Add change note

owen-mc · owen-mc · commit c539c2f4fd1c · 2026-02-12T16:57:12.000Z
diff --git a/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries.