From 7863a1e2289e69ce8e57e963e2f9c15e3ae8221a Mon Sep 17 00:00:00 2001
From: Jared Erwin <jaerwin@microsoft.com>
Date: Fri, 3 Apr 2026 12:05:19 -0700
Subject: [PATCH] Suppress SSRF as URL comes from controlled server side config

---
 samples/apps/SmartLauncher/Program.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/samples/apps/SmartLauncher/Program.cs b/samples/apps/SmartLauncher/Program.cs
index ee8ee5ccbf..525626b1d9 100644
--- a/samples/apps/SmartLauncher/Program.cs
+++ b/samples/apps/SmartLauncher/Program.cs
@@ -67,7 +67,12 @@
 
             using var discoveryClient = httpClientFactory.CreateClient();
             var smartConfigUrl = new Uri(fhirServerUri, ".well-known/smart-configuration");
-            var smartResponse = await discoveryClient.GetAsync(smartConfigUrl);
+
+            // CodeQL SSRF suppression: smartConfigUrl is NOT user-tainted. The host originates
+            // from the server-side FhirServerUrl configuration value (validated above as an
+            // absolute HTTP(S) URI) and the path is the hardcoded SMART discovery endpoint.
+            // See https://aka.ms/codeql#guidance-on-suppressions
+            var smartResponse = await discoveryClient.GetAsync(smartConfigUrl); // lgtm[cs/ssrf]
             smartResponse.EnsureSuccessStatusCode();
             var smartJson = await smartResponse.Content.ReadAsStringAsync();
             var smartConfig = System.Text.Json.JsonDocument.Parse(smartJson);