Convert Python qlref tests to inline expectations

2026-06-15 18:01:10 +02:00 · 2026-06-15 11:06:48 +01:00
parent d6ade8fe95
commit 0c2df7c7e9
475 changed files with 1612 additions and 1382 deletions
--- a/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref
+++ b/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref
@@ -1 +1,2 @@
-Classes/InconsistentMRO.ql
+query: Classes/InconsistentMRO.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py
+++ b/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py
@@ -6,7 +6,7 @@ class X(object):
 class Y(X):
    pass

-class Z(X, Y):
+class Z(X, Y): # $ Alert
    pass
    
 class O:
--- a/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref
+++ b/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref
@@ -1 +1,2 @@
-Classes/PropertyInOldStyleClass.ql
+query: Classes/PropertyInOldStyleClass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref
+++ b/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref
@@ -1 +1,2 @@
-Classes/SlotsInOldStyleClass.ql
+query: Classes/SlotsInOldStyleClass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref
+++ b/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref
@@ -1 +1,2 @@
-Classes/SuperInOldStyleClass.ql
+query: Classes/SuperInOldStyleClass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py
+++ b/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py
@@ -1,7 +1,7 @@

 #Only works for Python2

-class OldStyle1:
+class OldStyle1: # $ Alert[py/slots-in-old-style-class]

    __slots__ = [ 'a', 'b' ]

@@ -12,7 +12,7 @@ class OldStyle1:
 class OldStyle2:

    def __init__(self, x):
-        super().__init__(x)
+        super().__init__(x) # $ Alert[py/super-in-old-style]

 class NewStyle1(object):

--- a/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py
+++ b/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py
@@ -5,6 +5,6 @@ class OldStyle:
    def __init__(self, x):
        self._x = x

-    @property
+    @property # $ Alert[py/property-in-old-style-class]
    def piosc(self):
        return self._x
--- a/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref
+++ b/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref
@@ -1 +1,2 @@
-Classes/MaybeUndefinedClassAttribute.ql
+query: Classes/MaybeUndefinedClassAttribute.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref
+++ b/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref
@@ -1 +1,2 @@
-Classes/UndefinedClassAttribute.ql
+query: Classes/UndefinedClassAttribute.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref
@@ -1 +1,2 @@
-Exceptions/CatchingBaseException.ql
+query: Exceptions/CatchingBaseException.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref
@@ -1 +1,2 @@
-Exceptions/EmptyExcept.ql
+query: Exceptions/EmptyExcept.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref
@@ -1 +1,2 @@
-Exceptions/IllegalExceptionHandlerType.ql
+query: Exceptions/IllegalExceptionHandlerType.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref
@@ -1 +1,2 @@
-Exceptions/IllegalRaise.ql
+query: Exceptions/IllegalRaise.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref
@@ -1 +1,2 @@
-Exceptions/IncorrectExceptOrder.ql
+query: Exceptions/IncorrectExceptOrder.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py
+++ b/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py
@@ -14,4 +14,4 @@ def raise_tuple(cond):
        raise (Exception, "bananas", 17)
    else:
        #This is an error
-        raise (17, "bananas", Exception)
+        raise (17, "bananas", Exception) # $ Alert[py/illegal-raise]
--- a/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref
@@ -1 +1,2 @@
-Exceptions/UnguardedNextInGenerator.ql
+query: Exceptions/UnguardedNextInGenerator.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/generators/test.py
+++ b/python/ql/test/2/query-tests/Exceptions/generators/test.py
@@ -2,12 +2,12 @@

 def bad1(it):
    while True:
-        yield next(it)
+        yield next(it) # $ Alert

 def bad2(seq):
    it = iter(seq)
    #Not OK as seq  may be empty
-    raise KeyError(next(it))
+    raise KeyError(next(it)) # $ Alert
    yield 0

 def ok1(seq):
--- a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref
+++ b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref
@@ -1 +1,2 @@
-Exceptions/RaisingTuple.ql
+query: Exceptions/RaisingTuple.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Exceptions/raising/test.py
+++ b/python/ql/test/2/query-tests/Exceptions/raising/test.py
@@ -5,11 +5,11 @@ def ok():

 def bad1():
    ex = Exception, "message"
-    raise ex
+    raise ex # $ Alert

 def bad2():
-    raise (Exception, "message")
+    raise (Exception, "message") # $ Alert

 def bad3():
    ex = Exception, 
-    raise ex, "message"
+    raise ex, "message" # $ Alert
--- a/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref
+++ b/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref
@@ -1 +1,2 @@
-Expressions/TruncatedDivision.ql
+query: Expressions/TruncatedDivision.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py
+++ b/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py
@@ -62,14 +62,14 @@ print(average([1.0, 2.0]))
 # This case is bad, and is a minimal obvious case that should be bad. It
 # SHOULD be found by the query.

-print(3 / 2)
+print(3 / 2) # $ Alert[py/truncated-division]



 # This case is bad. It uses indirect returns of integers through function calls
 # to produce the problem. I

-print(return_three() / return_two())
+print(return_three() / return_two()) # $ Alert[py/truncated-division]



--- a/python/ql/test/2/query-tests/Expressions/UseofApply.py
+++ b/python/ql/test/2/query-tests/Expressions/UseofApply.py
@@ -16,7 +16,7 @@ def useofapply():

  # This use of `apply` is a reference to the builtin function and so SHOULD be
  # caught by the query.
-  apply(foo, [1])
+  apply(foo, [1]) # $ Alert[py/use-of-apply]



--- a/python/ql/test/2/query-tests/Expressions/UseofApply.qlref
+++ b/python/ql/test/2/query-tests/Expressions/UseofApply.qlref
@@ -1 +1,2 @@
-Expressions/UseofApply.ql
+query: Expressions/UseofApply.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Expressions/UseofInput.qlref
+++ b/python/ql/test/2/query-tests/Expressions/UseofInput.qlref
@@ -1 +1,2 @@
-Expressions/UseofInput.ql
+query: Expressions/UseofInput.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Expressions/expressions_test.py
+++ b/python/ql/test/2/query-tests/Expressions/expressions_test.py
@@ -1,9 +1,9 @@
 def use_of_apply(func, args):
-    apply(func, args)
+    apply(func, args) # $ Alert[py/use-of-apply]


 def use_of_input():
-    return input() # NOT OK
+    return input() # $ Alert[py/use-of-input] # NOT OK


 def not_use_of_input():
--- a/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref
+++ b/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref
@@ -1 +1,2 @@
-Functions/DeprecatedSliceMethod.ql
+query: Functions/DeprecatedSliceMethod.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref
+++ b/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref
@@ -1 +1,2 @@
-Imports/EncodingError.ql
+query: Imports/EncodingError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref
+++ b/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref
@@ -1 +1,2 @@
-Imports/EncodingError.ql
+query: Imports/EncodingError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref
+++ b/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref
@@ -1 +1,2 @@
-Imports/SyntaxError.ql
+query: Imports/SyntaxError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py
+++ b/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py
@@ -8,5 +8,5 @@
 # encoding:shift-jis

 def f():
-    print "Python <20>̊J<CC8A><4A><EFBFBD>́A1990 <20>N<EFBFBD><4E><EFBFBD>납<EFBFBD><EB82A9><EFBFBD>J<EFBFBD>n<EFBFBD><6E><EFBFBD><EFBFBD><EFBFBD>Ă<EFBFBD><C482>܂<EFBFBD>"
+    print "Python <20>̊J<CC8A><4A><EFBFBD>́A1990 <20>N<EFBFBD><4E><EFBFBD>납<EFBFBD><EB82A9><EFBFBD>J<EFBFBD>n<EFBFBD><6E><EFBFBD><EFBFBD><EFBFBD>Ă<EFBFBD><C482>܂<EFBFBD>" # $ Alert[py/encoding-error]
 """
--- a/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py
+++ b/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py
@@ -1,4 +1,4 @@
-`Twas brillig, and the slithy toves
+`Twas brillig, and the slithy toves # $ Alert[py/syntax-error]
  Did gyre and gimble in the wabe:
 All mimsy were the borogoves,
  And the mome raths outgrabe.
--- a/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref
+++ b/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref
@@ -1 +1,2 @@
-Lexical/OldOctalLiteral.ql
+query: Lexical/OldOctalLiteral.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Lexical/lexical_test.py
+++ b/python/ql/test/2/query-tests/Lexical/lexical_test.py
@@ -1,6 +1,6 @@

 #Bad Octal literal
-017
+017 # $ Alert
 #Good Octal literal
 0o17
 #Special case file permissions
--- a/python/ql/test/2/query-tests/Statements/ExecUsed.qlref
+++ b/python/ql/test/2/query-tests/Statements/ExecUsed.qlref
@@ -1 +1,2 @@
-Statements/ExecUsed.ql
+query: Statements/ExecUsed.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref
+++ b/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref
@@ -1 +1,2 @@
-Statements/IterableStringOrSequence.ql
+query: Statements/IterableStringOrSequence.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref
+++ b/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref
@@ -1 +1,2 @@
-Statements/TopLevelPrint.ql
+query: Statements/TopLevelPrint.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Statements/module.py
+++ b/python/ql/test/2/query-tests/Statements/module.py
@@ -1,2 +1,2 @@
 #Top level prints in modules are bad
-print ("Side effect on import")
+print ("Side effect on import") # $ Alert[py/print-during-import]
--- a/python/ql/test/2/query-tests/Statements/statements_test.py
+++ b/python/ql/test/2/query-tests/Statements/statements_test.py
@@ -2,7 +2,7 @@


 def exec_used(val):
-    exec (val)
+    exec (val) # $ Alert[py/use-of-exec]

 #Top level print
 import module
@@ -18,7 +18,7 @@ def f(x):
        s = u"Hello World"
    else:
        s = [ u'Hello', u'World']
-    for thing in s:
+    for thing in s: # $ Alert[py/iteration-string-and-sequence]
        print (thing)

 import fake_six
--- a/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref
+++ b/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref
@@ -1 +1 @@
-Summary/LinesOfCode.ql
+query: Summary/LinesOfCode.ql
--- a/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref
+++ b/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref
@@ -1 +1 @@
-Summary/LinesOfUserCode.ql
+query: Summary/LinesOfUserCode.ql
--- a/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref
+++ b/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref
@@ -1 +1,2 @@
-Variables/LeakingListComprehension.ql
+query: Variables/LeakingListComprehension.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Variables/LeakyComp/test.py
+++ b/python/ql/test/2/query-tests/Variables/LeakyComp/test.py
@@ -2,12 +2,12 @@ from __future__ import print_function

 def undefined_in_3():
    [x for x in range(3)]
-    print(x)
+    print(x) # $ Alert

 def different_in_3():
    y = 10
    [y for y in range(3)]
-    print(y)
+    print(y) # $ Alert

 def ok():
    [z for z in range(4)]
--- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py
+++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py
@@ -1,6 +1,6 @@


-__all__ = [ "x", "y", "z", "module" ]
+__all__ = [ "x", "y", "z", "module" ] # $ Alert[py/undefined-export]

 x = 1
 if 0:
--- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref
+++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref
@@ -1 +1,2 @@
-Variables/UndefinedExport.ql
+query: Variables/UndefinedExport.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref
+++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref
@@ -1 +1,2 @@
-Variables/UndefinedGlobal.ql
+query: Variables/UndefinedGlobal.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref
+++ b/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref
@@ -1 +1,2 @@
-Variables/UninitializedLocal.ql
+query: Variables/UninitializedLocal.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/2/query-tests/Variables/undefined/package/init.py
+++ b/python/ql/test/2/query-tests/Variables/undefined/package/init.py
@@ -1 +1 @@
-__all__ = [ "module", "not_exists" ]
+__all__ = [ "module", "not_exists" ] # $ Alert[py/undefined-export]
--- a/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref
+++ b/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref
@@ -1 +1,2 @@
-Classes/DefineEqualsWhenAddingAttributes.ql
+query: Classes/DefineEqualsWhenAddingAttributes.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Classes/equals-attr/test.py
+++ b/python/ql/test/3/query-tests/Classes/equals-attr/test.py
@@ -9,7 +9,7 @@ class RedefineEquals:
    def __eq__(self, other):
        return other is "Tuesday"

-class C(RedefineEquals):
+class C(RedefineEquals): # $ Alert

    def __init__(self, args):
        self.a, self.b = args
--- a/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref
+++ b/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref
@@ -1 +1,2 @@
-Classes/InconsistentMRO.ql
+query: Classes/InconsistentMRO.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py
+++ b/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py
@@ -6,12 +6,12 @@ class X(object):
 class Y(X):
    pass

-class Z(X, Y):
+class Z(X, Y): # $ Alert
    pass
    
 class O:
    pass
    
 #This is OK in Python 2
-class N(object, O):
+class N(object, O): # $ Alert
    pass
--- a/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref
+++ b/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref
@@ -1 +1,2 @@
-Classes/MaybeUndefinedClassAttribute.ql
+query: Classes/MaybeUndefinedClassAttribute.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref
+++ b/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref
@@ -1 +1,2 @@
-Classes/UndefinedClassAttribute.ql
+query: Classes/UndefinedClassAttribute.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref
+++ b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref
@@ -1 +1,2 @@
-Expressions/WrongNameForArgumentInCall.ql
+query: Expressions/WrongNameForArgumentInCall.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref
+++ b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref
@@ -1 +1,2 @@
-Expressions/WrongNumberArgumentsInCall.ql
+query: Expressions/WrongNumberArgumentsInCall.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py
+++ b/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py
@@ -9,8 +9,8 @@ f(1, 2, 3, kw1=1)
 f(1, 2, kw1=1, kw2=2)

 #Not OK
-f(1, 2, 3, kw1=1, kw3=3)
-f(1, 2, 3, kw3=3)
+f(1, 2, 3, kw1=1, kw3=3) # $ Alert[py/call/wrong-named-argument]
+f(1, 2, 3, kw3=3) # $ Alert[py/call/wrong-named-argument]


 #ODASA-5897
@@ -21,4 +21,4 @@ def ok():
    return analyze_member_access(msg, original=original, chk=chk)

 def bad():
-    return analyze_member_access(msg, original, chk=chk)
+    return analyze_member_access(msg, original, chk=chk) # $ Alert[py/call/wrong-arguments]
--- a/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref
+++ b/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref
@@ -1 +1,2 @@
-Expressions/WrongNumberArgumentsForFormat.ql
+query: Expressions/WrongNumberArgumentsForFormat.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref
+++ b/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref
@@ -1 +1,2 @@
-Expressions/TruncatedDivision.ql
+query: Expressions/TruncatedDivision.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref
+++ b/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref
@@ -1 +1,2 @@
-Expressions/UseofApply.ql
+query: Expressions/UseofApply.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref
+++ b/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref
@@ -1 +1,2 @@
-Imports/EncodingError.ql
+query: Imports/EncodingError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref
+++ b/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref
@@ -1 +1,2 @@
-Imports/EncodingError.ql
+query: Imports/EncodingError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref
+++ b/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref
@@ -1 +1,2 @@
-Imports/SyntaxError.ql
+query: Imports/SyntaxError.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py
+++ b/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py
@@ -8,5 +8,5 @@
 # encoding:shift-jis

 def f():
-    print "Python <20>̊J<CC8A><4A><EFBFBD>́A1990 <20>N<EFBFBD><4E><EFBFBD>납<EFBFBD><EB82A9><EFBFBD>J<EFBFBD>n<EFBFBD><6E><EFBFBD><EFBFBD><EFBFBD>Ă<EFBFBD><C482>܂<EFBFBD>"
+    print "Python <20>̊J<CC8A><4A><EFBFBD>́A1990 <20>N<EFBFBD><4E><EFBFBD>납<EFBFBD><EB82A9><EFBFBD>J<EFBFBD>n<EFBFBD><6E><EFBFBD><EFBFBD><EFBFBD>Ă<EFBFBD><C482>܂<EFBFBD>" # $ Alert[py/encoding-error]
 """
--- a/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py
+++ b/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py
@@ -1,4 +1,4 @@
- `Twas brillig, and the slithy toves
+ `Twas brillig, and the slithy toves # $ Alert[py/syntax-error]
  Did gyre and gimble in the wabe:
 All mimsy were the borogoves,
  And the mome raths outgrabe.
--- a/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref
+++ b/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref
@@ -1 +1,2 @@
-Statements/ExecUsed.ql
+query: Statements/ExecUsed.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref
+++ b/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref
@@ -1 +1,2 @@
-Statements/TopLevelPrint.ql
+query: Statements/TopLevelPrint.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Statements/general/module.py
+++ b/python/ql/test/3/query-tests/Statements/general/module.py
@@ -1,2 +1,2 @@
 #Top level prints in modules are bad
-print ("Side effect on import")
+print ("Side effect on import") # $ Alert[py/print-during-import]
--- a/python/ql/test/3/query-tests/Statements/general/statements_test.py
+++ b/python/ql/test/3/query-tests/Statements/general/statements_test.py
@@ -2,7 +2,7 @@


 def exec_used(val):
-    exec(val)
+    exec(val) # $ Alert[py/use-of-exec]

 #Top level print
 import module
--- a/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref
+++ b/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref
@@ -1 +1,2 @@
-Statements/IterableStringOrSequence.ql
+query: Statements/IterableStringOrSequence.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref
+++ b/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref
@@ -1 +1,2 @@
-Statements/NonIteratorInForLoop.ql
+query: Statements/NonIteratorInForLoop.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Statements/iter/async_iterator.py
+++ b/python/ql/test/3/query-tests/Statements/iter/async_iterator.py
@@ -23,5 +23,5 @@ async def good():
        yield x

 async def bad():
-    async for x in MissingAiter():
+    async for x in MissingAiter(): # $ Alert[py/non-iterable-in-for-loop]
        yield x
--- a/python/ql/test/3/query-tests/Statements/iter/statements_test.py
+++ b/python/ql/test/3/query-tests/Statements/iter/statements_test.py
@@ -18,7 +18,7 @@ def f(x):
        s = u"Hello World"
    else:
        s = [ u'Hello', u'World']
-    for thing in s:
+    for thing in s: # $ Alert[py/iteration-string-and-sequence]
        print (thing)


@@ -31,7 +31,7 @@ class Color(Enum):
 def colors():
    for color in Color:
        print(color)
-    for color in 1:
+    for color in 1: # $ Alert[py/non-iterable-in-for-loop]
        print(color)

 colors()
--- a/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref
+++ b/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref
@@ -1 +1,2 @@
-Statements/UnreachableCode.ql
+query: Statements/UnreachableCode.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref
+++ b/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref
@@ -1 +1,2 @@
-Statements/UnreachableCode.ql
+query: Statements/UnreachableCode.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref
+++ b/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref
@@ -1 +1 @@
-Summary/LinesOfCode.ql
+query: Summary/LinesOfCode.ql
--- a/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref
+++ b/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref
@@ -1 +1 @@
-Summary/LinesOfUserCode.ql
+query: Summary/LinesOfUserCode.ql
--- a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py
+++ b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py
@@ -1,6 +1,6 @@


-__all__ = [ "x", "y", "z", "module", "w" ]
+__all__ = [ "x", "y", "z", "module", "w" ] # $ Alert[py/undefined-export]

 x = 1
 if 0:
--- a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref
+++ b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref
@@ -1 +1,2 @@
-Variables/UndefinedExport.ql
+query: Variables/UndefinedExport.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref
+++ b/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref
@@ -1 +1,2 @@
-Variables/UninitializedLocal.ql
+query: Variables/UninitializedLocal.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py
+++ b/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py
@@ -5,4 +5,4 @@ IntEnum._convert(
        __name__,
        lambda C: C.isupper() and C.startswith('AF_'))

-__all__ = [ "Maybe", "Maybe_not" ]
+__all__ = [ "Maybe", "Maybe_not" ] # $ Alert[py/undefined-export]
--- a/python/ql/test/3/query-tests/Variables/undefined/package/init.py
+++ b/python/ql/test/3/query-tests/Variables/undefined/package/init.py
@@ -1 +1 @@
-__all__ = [ "module", "not_exists" ]
+__all__ = [ "module", "not_exists" ] # $ Alert[py/undefined-export]
--- a/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref
+++ b/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref
@@ -1 +1 @@
-../CallGraph/InlineCallGraphTest.ql
+query: ../CallGraph/InlineCallGraphTest.ql
--- a/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref
+++ b/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref
@@ -1 +1 @@
-../CallGraph/InlineCallGraphTest.ql
+query: ../CallGraph/InlineCallGraphTest.ql
--- a/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref
+++ b/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref
@@ -1 +1 @@
-../CallGraph/InlineCallGraphTest.ql
+query: ../CallGraph/InlineCallGraphTest.ql
--- a/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref
+++ b/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref
@@ -1 +1 @@
-meta/ClassHierarchy/Find.ql
+query: meta/ClassHierarchy/Find.ql
--- a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py
+++ b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py
@@ -1,5 +1,5 @@
 # BAD, do not start class or interface name with lowercase letter
-class badName:
+class badName: # $ Alert

    def hello(self):
        print("hello")
--- a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref
+++ b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref
@@ -1 +1,2 @@
-experimental/Classes/NamingConventionsClasses.ql
+query: experimental/Classes/NamingConventionsClasses.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py
+++ b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py
@@ -1,7 +1,7 @@
 class Test:

    # BAD, do not start function name with uppercase letter
-    def HelloWorld(self):
+    def HelloWorld(self): # $ Alert
        print("hello world")

    # GOOD, function name starts with lowercase letter
--- a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref
+++ b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref
@@ -1 +1,2 @@
-experimental/Functions/NamingConventionsFunctions.ql
+query: experimental/Functions/NamingConventionsFunctions.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-022bis/TarSlipImprov.ql
+query: experimental/Security/CWE-022bis/TarSlipImprov.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py
@@ -12,14 +12,14 @@ import os.path
 unsafe_filename_tar = sys.argv[2]
 safe_filename_tar = "safe_path.tar"

-tar = tarfile.open(unsafe_filename_tar)
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
 result = []
 for member in tar:
    if ".." in member.name:
        raise ValueError("Path in member name !!!")    
    result.append(member)
 path = unsafe_filename_tar
-tar.extractall(path=path, members=result)
+tar.extractall(path=path, members=result) # $ Alert[py/tarslip-extended]
 tar.close()


@@ -35,27 +35,27 @@ def members_filter1(tarfile):
        result.append(member)
    return result

-tar = tarfile.open(unsafe_filename_tar)
-tar.extractall(path=tempfile.mkdtemp(), members=members_filter1(tar))
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
+tar.extractall(path=tempfile.mkdtemp(), members=members_filter1(tar)) # $ Alert[py/tarslip-extended]
 tar.close()


-with tarfile.open(unsafe_filename_tar) as tar:
+with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
        if ".." in entry.name:
            raise ValueError("Illegal tar archive entry")
-        tar.extract(entry, "/tmp/unpack/")
+        tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]


 def _validate_archive_name(name, target):
    if not os.path.abspath(os.path.join(target, name)).startswith(target + os.path.sep):
        raise ValueError(f"Provided language pack contains invalid name {name}")

-with tarfile.open(unsafe_filename_tar) as tar:
+with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended]
    target = "/tmp/unpack"
    for entry in tar:
        _validate_archive_name(entry.name, target)
-        tar.extract(entry, target)
+        tar.extract(entry, target) # $ Alert[py/tarslip-extended]


 def members_filter2(tarfile):
@@ -85,10 +85,10 @@ def _validate_archive_name(name, target):
        raise ValueError(f"Provided language pack contains invalid name {name}")

 target = "/tmp/unpack"
-with tarfile.open(unsafe_filename_tar, "r") as tar:
+with tarfile.open(unsafe_filename_tar, "r") as tar: # $ Source[py/tarslip-extended]
    for info in tar.getmembers():
        _validate_tar_info(info, target)
-    tar.extractall(target)
+    tar.extractall(target) # $ Alert[py/tarslip-extended]


 def members_filter3(tarfile):
@@ -108,11 +108,11 @@ tar.extractall(path=tempfile.mkdtemp(), members=members_filter3(tar))
 tar.close()

    
-tar = tarfile.open(unsafe_filename_tar)
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
 tarf = tar.getmembers()
 for f in tarf:
    if not f.issym():
-        tar.extractall(path=tempfile.mkdtemp(), members=[f])
+        tar.extractall(path=tempfile.mkdtemp(), members=[f]) # $ Alert[py/tarslip-extended]
 tar.close()


@@ -120,27 +120,27 @@ class MKTar(TarFile):
    pass

 tarball = unsafe_filename_tar
-with MKTar.open(name=tarball) as tar:
+with MKTar.open(name=tarball) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
-        tar._extract_member(entry, entry.name)
+        tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended]


 tarball = unsafe_filename_tar
-with tarfile.open(tarball) as tar:
-    tar.extractall()
+with tarfile.open(tarball) as tar: # $ Source[py/tarslip-extended]
+    tar.extractall() # $ Alert[py/tarslip-extended]


-tar = tarfile.open(unsafe_filename_tar)
-tar.extractall(path=tempfile.mkdtemp(), members=None)
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
+tar.extractall(path=tempfile.mkdtemp(), members=None) # $ Alert[py/tarslip-extended]


 class MKTar(tarfile.TarFile):
    pass

 tarball = unsafe_filename_tar
-with MKTar.open(name=tarball) as tar:
+with MKTar.open(name=tarball) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
-        tar._extract_member(entry, entry.name)
+        tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended]


@contextmanager
@@ -148,7 +148,7 @@ def py2_tarxz(filename):
    with tempfile.TemporaryFile() as tmp:
        subprocess.check_call(["xz", "-dc", filename], stdout=tmp.fileno())
        tmp.seek(0)
-        with closing(tarfile.TarFile(fileobj=tmp)) as tf:
+        with closing(tarfile.TarFile(fileobj=tmp)) as tf: # $ Source[py/tarslip-extended]
            yield tf

 def unpack_tarball(tar_filename, dest):     
@@ -156,7 +156,7 @@ def unpack_tarball(tar_filename, dest):
        # Py 2.7 lacks lzma support
        tar_cm = py2_tarxz(tar_filename)
    else:
-        tar_cm = closing(tarfile.open(tar_filename))
+        tar_cm = closing(tarfile.open(tar_filename)) # $ Source[py/tarslip-extended]

    base_dir = None
    with tar_cm as tarc:
@@ -166,32 +166,32 @@ def unpack_tarball(tar_filename, dest):
                base_dir = base_name
            elif base_dir != base_name:
                print('Unexpected path in %s: %s' % (tar_filename, base_name))
-        tarc.extractall(dest)
+        tarc.extractall(dest) # $ Alert[py/tarslip-extended]
    return os.path.join(dest, base_dir)

 unpack_tarball(unsafe_filename_tar, "/tmp/unpack")


 tarball = unsafe_filename_tar
-with tarfile.open(name=tarball) as tar:
+with tarfile.open(name=tarball) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
-        tar._extract_member(entry, entry.name)
+        tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended]


 tarball = unsafe_filename_tar
-with tarfile.open(name=tarball) as tar:
+with tarfile.open(name=tarball) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
-        tar.extract(entry, "/tmp/unpack/")
+        tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]


 tarball = unsafe_filename_tar
-tar = tarfile.open(tarball)
-tar.extractall("/tmp/unpack/")
+tar = tarfile.open(tarball) # $ Source[py/tarslip-extended]
+tar.extractall("/tmp/unpack/") # $ Alert[py/tarslip-extended]


 tarball = unsafe_filename_tar
-with tarfile.open(tarball, "r") as tar:
-    tar.extractall(path="/tmp/unpack/", members=tar)
+with tarfile.open(tarball, "r") as tar: # $ Source[py/tarslip-extended]
+    tar.extractall(path="/tmp/unpack/", members=tar) # $ Alert[py/tarslip-extended]


 def members_filter4(tarfile):
@@ -207,8 +207,8 @@ tar.extractall(path=tempfile.mkdtemp(), members=members_filter4(tar))
 tar.close()


-with tarfile.open(unsafe_filename_tar, "r") as tar:
-    tar.extractall(path="/tmp/unpack")
+with tarfile.open(unsafe_filename_tar, "r") as tar: # $ Source[py/tarslip-extended]
+    tar.extractall(path="/tmp/unpack") # $ Alert[py/tarslip-extended]


 def members_filter5(tarfile):
@@ -228,12 +228,12 @@ filename = unsafe_filename_tar
 tmp_dir = "/tmp/"

 read_type = "r:gz" if filename.endswith("tgz") else "r"
-with tarfile.open(filename, read_type) as corpus_tar:
+with tarfile.open(filename, read_type) as corpus_tar: # $ Source[py/tarslip-extended]
    members = []
    for f in corpus_tar:
        if not os.path.isfile(os.path.join(tmp_dir, f.name)):
            members.append(f)
-    corpus_tar.extractall(tmp_dir, members=members)
+    corpus_tar.extractall(tmp_dir, members=members) # $ Alert[py/tarslip-extended]


 def members_filter6(tarfile):
@@ -251,66 +251,66 @@ tar.close()

 archive_path = unsafe_filename_tar
 target_dir = "/tmp/unpack"
-tarfile.open(archive_path, "r").extractall(path=target_dir)
+tarfile.open(archive_path, "r").extractall(path=target_dir) # $ Alert[py/tarslip-extended]


 tarball = unsafe_filename_tar
-with tarfile.open(tarball) as tar:
+with tarfile.open(tarball) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
        if entry.isfile():
-            tar.extract(entry, "/tmp/unpack/")
+            tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]


-with tarfile.open(unsafe_filename_tar) as tar:
+with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
        if entry.name.startswith("/"):
            raise ValueError("Illegal tar archive entry")
-        tar.extract(entry, "/tmp/unpack/")
+        tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]

 tarball = unsafe_filename_tar
-with tarfile.TarFile(tarball, mode="r") as tar:
+with tarfile.TarFile(tarball, mode="r") as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
        if entry.isfile():
-            tar.extract(entry, "/tmp/unpack/")
+            tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]

-with tarfile.open(unsafe_filename_tar) as tar:
+with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended]
    for entry in tar:
        if os.path.isabs(entry.name):
            raise ValueError("Illegal tar archive entry")
-        tar.extract(entry, "/tmp/unpack/")
+        tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended]


-with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
-    tar.extractall(path="/tmp/unpack")
+with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: # $ Source[py/tarslip-extended]
+    tar.extractall(path="/tmp/unpack") # $ Alert[py/tarslip-extended]


-tar = tarfile.open(filename)
-tar.extractall(path=tempfile.mkdtemp(), members=tar.getmembers())
+tar = tarfile.open(filename) # $ Source[py/tarslip-extended]
+tar.extractall(path=tempfile.mkdtemp(), members=tar.getmembers()) # $ Alert[py/tarslip-extended]
 tar.close()


-tar = tarfile.open(unsafe_filename_tar)
-tar.extractall(path=tempfile.mkdtemp(), members=None)
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
+tar.extractall(path=tempfile.mkdtemp(), members=None) # $ Alert[py/tarslip-extended]


 tar.extractall(path=tempfile.mkdtemp(), members=members_filter4(tar))
 tar.close()


-with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
-    tar.extractall(path="/tmp/unpack/", members=tar)
+with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: # $ Source[py/tarslip-extended]
+    tar.extractall(path="/tmp/unpack/", members=tar) # $ Alert[py/tarslip-extended]


-tar = tarfile.open(unsafe_filename_tar)
+tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended]
 result = []
 for member in tar:
    if member.issym():
        raise ValueError("But it is a symlink")   
    result.append(member)
-tar.extractall(path=tempfile.mkdtemp(), members=result)
+tar.extractall(path=tempfile.mkdtemp(), members=result) # $ Alert[py/tarslip-extended]
 tar.close()


 archive_path = unsafe_filename_tar
 target_dir = "/tmp/unpack"
-tarfile.TarFile(unsafe_filename_tar, mode="r").extractall(path=target_dir)
+tarfile.TarFile(unsafe_filename_tar, mode="r").extractall(path=target_dir) # $ Alert[py/tarslip-extended]
--- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-022/ZipSlip.ql
+query: experimental/Security/CWE-022/ZipSlip.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py
@@ -5,35 +5,35 @@ import gzip
 import zipfile

 def unzip(filename):
-    with tarfile.open(filename) as zipf:
+    with tarfile.open(filename) as zipf: # $ Alert[py/zipslip]
    #BAD : This could write any file on the filesystem.
        for entry in zipf:
-            shutil.move(entry, "/tmp/unpack/")
+            shutil.move(entry, "/tmp/unpack/") # $ Sink[py/zipslip]

 def unzip1(filename):
-    with gzip.open(filename) as zipf:
+    with gzip.open(filename) as zipf: # $ Alert[py/zipslip]
    #BAD : This could write any file on the filesystem.
        for entry in zipf:
-            shutil.copy2(entry, "/tmp/unpack/")
+            shutil.copy2(entry, "/tmp/unpack/") # $ Sink[py/zipslip]

 def unzip2(filename):
-    with bz2.open(filename) as zipf:
+    with bz2.open(filename) as zipf: # $ Alert[py/zipslip]
    #BAD : This could write any file on the filesystem.
        for entry in zipf:
-            shutil.copyfile(entry, "/tmp/unpack/")
+            shutil.copyfile(entry, "/tmp/unpack/") # $ Sink[py/zipslip]

 def unzip3(filename):
    zf = zipfile.ZipFile(filename)
-    with zf.namelist() as filelist:
+    with zf.namelist() as filelist: # $ Alert[py/zipslip]
    #BAD : This could write any file on the filesystem.
        for x in filelist:
-            shutil.copy(x, "/tmp/unpack/")
+            shutil.copy(x, "/tmp/unpack/") # $ Sink[py/zipslip]

 def unzip4(filename):
    zf = zipfile.ZipFile(filename)
-    filelist = zf.namelist()
+    filelist = zf.namelist() # $ Alert[py/zipslip]
    for x in filelist:
        with zf.open(x) as srcf:
-            shutil.copyfileobj(x, "/tmp/unpack/")
+            shutil.copyfileobj(x, "/tmp/unpack/") # $ Sink[py/zipslip]

 import tty # to set the import root so we can identify the standard library
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref
@@ -1 +1 @@
-experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.ql
+query: experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-079/EmailXss.ql
+query: experimental/Security/CWE-079/EmailXss.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py
@@ -11,7 +11,7 @@ def django_response(request):
      https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
      """
    send_mail("Subject", "plain-text body", "from@example.com",
-              ["to@example.com"], html_message=django.http.request.GET.get("html"))
+              ["to@example.com"], html_message=django.http.request.GET.get("html")) # $ Alert


 def django_response(request):
@@ -20,6 +20,6 @@ def django_response(request):
    https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L90-L121
    """
    mail_admins("Subject", "plain-text body",
-                html_message=django.http.request.GET.get("html"))
+                html_message=django.http.request.GET.get("html")) # $ Alert
    mail_managers("Subject", "plain-text body",
-                  html_message=django.http.request.GET.get("html"))
+                  html_message=django.http.request.GET.get("html")) # $ Alert
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py
@@ -1,4 +1,4 @@
-from flask import request, Flask
+from flask import request, Flask # $ Source
 from flask_mail import Mail, Message

 app = Flask(__name__)
@@ -10,12 +10,12 @@ def send():
                sender="from@example.com",
                recipients=["to@example.com"],
                body="plain-text body",
-                html=request.args["html"])
+                html=request.args["html"]) # $ Alert

  # The message can contain a body and/or HTML:
  msg.body = "plain-text body"
  # The email's HTML can be set via msg.html or as an initialize argument when creating a Message object.
-  msg.html = request.args["html"]
+  msg.html = request.args["html"] # $ Alert

  mail.send(msg)

@@ -28,5 +28,5 @@ def connect():
    msg = Message(subject="Subject",
                  sender="from@example.com",
                  recipients=["to@example.com"],
-                  html=request.args["html"])
+                  html=request.args["html"]) # $ Alert
    conn.send(msg)
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py
@@ -1,4 +1,4 @@
-from flask import request, Flask
+from flask import request, Flask # $ Source
 from sendgrid import SendGridAPIClient
 from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType, HtmlContent

@@ -11,7 +11,7 @@ def send():
        from_email='from_email@example.com',
        to_emails='to@example.com',
        subject='Sending with Twilio SendGrid is Fun',
-        html_content=request.args["html_content"])
+        html_content=request.args["html_content"]) # $ Alert

    sg = SendGridAPIClient('SENDGRID_API_KEY')
    sg.send(message)
@@ -23,7 +23,7 @@ def send():
        from_email='from_email@example.com',
        to_emails='to@example.com',
        subject='Sending with Twilio SendGrid is Fun',
-        html_content=HtmlContent(request.args["html_content"]))
+        html_content=HtmlContent(request.args["html_content"])) # $ Alert

    sg = SendGridAPIClient('SENDGRID_API_KEY')
    sg.send(message)
@@ -34,7 +34,7 @@ def send_post():
    from_email = Email("test@example.com")
    to_email = To("test@example.com")
    subject = "Sending with SendGrid is Fun"
-    html_content = Content("text/html", request.args["html_content"])
+    html_content = Content("text/html", request.args["html_content"]) # $ Alert
    plain_content = Content("text/plain", request.args["plain_content"])

    mail = Mail(from_email, to_email, subject, plain_content, html_content)
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py
@@ -1,6 +1,6 @@
 import sendgrid
 import os
-from flask import request, Flask
+from flask import request, Flask # $ Source

 app = Flask(__name__)

@@ -13,7 +13,7 @@ def send():
        "content": [
            {
                "type": "text/html",
-                "value": "<html>{}</html>".format(request.args["html_content"])
+                "value": "<html>{}</html>".format(request.args["html_content"]) # $ Alert
            }
        ],
        "from": {
@@ -24,7 +24,7 @@ def send():
        "mail_settings": {
            "footer": {
                "enable": True,
-                "html": "<html>{}</html>".format(request.args["html_footer"]),
+                "html": "<html>{}</html>".format(request.args["html_footer"]), # $ Alert
                "text": "Thanks,/n The SendGrid Team"
            },
        },
@@ -38,7 +38,7 @@ def send():
        "tracking_settings": {
            "subscription_tracking": {
                "enable": True,
-                "html": "<html>{}</html>".format(request.args["html_tracking"]),
+                "html": "<html>{}</html>".format(request.args["html_tracking"]), # $ Alert
                "substitution_tag": "<%click here%>",
                "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
            }
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py
@@ -1,5 +1,5 @@
 # This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
-from flask import Flask, request
+from flask import Flask, request # $ Source
 import json
 import smtplib
 import ssl
@@ -21,7 +21,7 @@ def email_person():

    # Turn these into plain/html MIMEText objects
    part1 = MIMEText(text, "plain")
-    part2 = MIMEText(html, "html")
+    part2 = MIMEText(html, "html") # $ Alert

    message = MIMEMultipart(_subparts=(part1, part2))
    message["Subject"] = "multipart test"
--- a/Show More
+++ b/Show More