vlkl-sap

Apologies for butting in; I came across this PR by chance. While storing unsalted password hashes is poor security, using typical message digests for password hashing is in itself fundamentally...

Hey. Thanks for tackling this! It's a real improvement. I particularly like the tests as they serve as a kind of spec document. Would it make sense to rename `AllowListGuard`...

Another thing: I'm struggling to understand the `WEB-INF` part. It is OK to block a prefix with "WEB-INF" somewhere in it but it's not OK to block "WEB-INF" in the...

Are these duplicates? https://github.com/github/codeql/blob/c5abbbae93ee83b7a4767fcaa2ed832f7e258699/java/ql/test/library-tests/pathsanitizer/Test.java#L252-L265 Or did I fail the eye test?