From 7907d34a3368e4bd5f8ec984efe9b96a6d33d56c Mon Sep 17 00:00:00 2001
From: Jason Novinger <jnovinger@gmail.com>
Date: Thu, 2 Oct 2025 16:27:31 -0500
Subject: [PATCH] Fixes #20484: Configure CodeQL to exclude URL redirect false
 positives

---
 .github/codeql/codeql-config.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
index f763ef6df71..d5453e19f9d 100644
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,3 +1,11 @@
 paths-ignore:
   # Ignore compiled JS
   - netbox/project-static/dist
+
+query-filters:
+  # Exclude py/url-redirection: NetBox uses safe_for_redirect() wrapper function
+  # which validates all redirects via Django's url_has_allowed_host_and_scheme().
+  # CodeQL's taint tracking doesn't recognize wrapper functions without custom
+  # query configuration. See #20484.
+  - exclude:
+      id: py/url-redirection