Configure CodeQL to exclude Python-based URL redirect false positives

[jnovinger]

Proposed Changes

Add query filter to CodeQL configuration to exclude the py/url-redirection query, which is generating 24 false positive alerts.

Update .github/codeql/codeql-config.yml:

...

query-filters:
  # Exclude py/url-redirection: NetBox uses safe_for_redirect() wrapper function
  # which validates all redirects via Django's url_has_allowed_host_and_scheme().
  # CodeQL's taint tracking doesn't recognize wrapper functions without custom
  # query configuration.
  - exclude:
      id: py/url-redirection

Justification

CodeQL is flagging 24 URL redirect alerts across the codebase. Each uses either safe_for_redirect() or get_return_url() (which calls safe_for_redirect() internally). These are false positives.

The issue is that safe_for_redirect() wraps Django's url_has_allowed_host_and_scheme(), and CodeQL's taint tracking doesn't recognize wrapper functions as sanitizers. It sees tainted input flow into the wrapper and back out to redirect(), but doesn't understand that validation happened inside. Custom CodeQL queries to fix this aren't available with GitHub-hosted scanning.

NetBox's implementation is secure. safe_for_redirect() uses allowed_hosts=None, which only permits relative URLs (no external redirects). Since we consistently use this wrapper for all redirects, the risk of introducing actual vulnerabilities is minimal while the query generates nothing but noise.

Excluding this query will auto-dismiss the 24 existing alerts and prevent future false positives.