python: Inline expectation should have space after $

This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.
2026-04-27 09:45:15 +02:00 · 2026-03-04 11:42:07 +00:00
parent 0eccd902c2
commit 5a97348e78
61 changed files with 784 additions and 785 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.py
@@ -1,6 +1,6 @@
 import requests
 import shutil
-import os 
+import os

 from flask import Flask, request
 app = Flask(__name__)
@@ -16,8 +16,8 @@ def download_from_url():
            with open(tarpath, "wb") as f:
                  f.write(response.raw.read())
            untarredpath = "/tmp/tmp123"
-            shutil.unpack_archive(tarpath, untarredpath)  # $result=BAD
-        
+            shutil.unpack_archive(tarpath, untarredpath)  # $ result=BAD
+

 # A source catching an S3 filename download
 # see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
@@ -31,7 +31,7 @@ bucket_name = "mybucket"

 s3 = boto3.client('s3')
 s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
-shutil.unpack_archive(local_ziped_path, base_dir)  # $result=BAD
+shutil.unpack_archive(local_ziped_path, base_dir)  # $ result=BAD


 # wget
@@ -45,11 +45,11 @@ base_dir = "/tmp/basedir"

 # download(url, out, bar) contains out parameter
 wget.download(url, compressed_file)
-shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
+shutil.unpack_archive(compressed_file, base_dir) # $ result=BAD

 # download(url) returns filename
 compressed_file = wget.download(url)
-shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
+shutil.unpack_archive(compressed_file, base_dir) # $ result=BAD


 # A source coming from a CLI argparse module
@@ -63,7 +63,7 @@ parser.add_argument('filename', help='filename to be provided')

 args = parser.parse_args()
 compressed_file = args.filename
-shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
+shutil.unpack_archive(compressed_file, base_dir) # $ result=BAD


 # A source coming from a CLI and downloaded
@@ -83,8 +83,8 @@ response = requests.get(url_filename, stream=True)
 tarpath = "/tmp/tmp456/tarball.tar.gz"
 with open(tarpath, "wb") as f:
      f.write(response.raw.read())
-      
-shutil.unpack_archive(tarpath, base_dir) # $result=BAD
+
+shutil.unpack_archive(tarpath, base_dir) # $ result=BAD

 # the django upload functionality
 # see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
@@ -97,19 +97,19 @@ def simple_upload(request):
      base_dir = "/tmp/baase_dir"
      if request.method == 'POST':
            # Read uploaded files by chunks of data
-            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks 
+            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks
            savepath = os.path.join(base_dir, "tarball_compressed.tar.gz")
            with open(savepath, 'wb+') as wfile:
                  for chunk in request.FILES["ufile1"].chunks():
                        wfile.write(chunk)
-            shutil.unpack_archive(savepath, base_dir) # $result=BAD
+            shutil.unpack_archive(savepath, base_dir) # $ result=BAD

            # Write in binary the uploaded tarball
            myfile = request.FILES.get("ufile1")
            file_path = os.path.join(base_dir, "tarball.tar")
            with file_path.open('wb') as f:
                  f.write(myfile.read())
-            shutil.unpack_archive(file_path, base_dir) # $result=BAD
+            shutil.unpack_archive(file_path, base_dir) # $ result=BAD

            # Save uploaded files using FileSystemStorage Django API
            # see FileSystemStorage: https://docs.djangoproject.com/en/4.1/ref/files/storage/#django.core.files.storage.FileSystemStorage
@@ -117,8 +117,8 @@ def simple_upload(request):
                  fs = FileSystemStorage()
                  filename = fs.save(ufile.name, ufile)
                  uploaded_file_path = fs.path(filename)
-                  shutil.unpack_archive(uploaded_file_path, base_dir) # $result=BAD
-            
+                  shutil.unpack_archive(uploaded_file_path, base_dir) # $ result=BAD
+
            return render(request, 'simple_upload.html')

      elif request.method == 'GET':
@@ -126,7 +126,7 @@ def simple_upload(request):


 import shutil
-import os 
+import os
 import tarfile
 import tempfile
 import argparse
@@ -139,8 +139,8 @@ parser.add_argument('filename', help='filename to be provided')
 args = parser.parse_args()
 unsafe_filename_tar = args.filename
 with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
-    tar.extractall(path="/tmp/unpack/", members=tar) # $result=BAD
-tar = tarfile.open(unsafe_filename_tar)   
+    tar.extractall(path="/tmp/unpack/", members=tar) # $ result=BAD
+tar = tarfile.open(unsafe_filename_tar)


 from django.shortcuts import render
@@ -152,7 +152,7 @@ def simple_upload(request):
      base_dir = "/tmp/baase_dir"
      if request.method == 'POST':
            # Read uploaded files by chunks of data
-            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks 
+            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks
            savepath = os.path.join(base_dir, "tarball_compressed.tar.gz")
            with open(savepath, 'wb+') as wfile:
                  for chunk in request.FILES["ufile1"].chunks():
@@ -160,11 +160,11 @@ def simple_upload(request):

                  tar = tarfile.open(savepath)
                  result = []
-                  for member in tar:      
-                      if member.issym():  
-                          raise ValueError("But it is a symlink")       
-                      result.append(member)     
-                  tar.extractall(path=tempfile.mkdtemp(), members=result) # $result=BAD   
+                  for member in tar:
+                      if member.issym():
+                          raise ValueError("But it is a symlink")
+                      result.append(member)
+                  tar.extractall(path=tempfile.mkdtemp(), members=result) # $ result=BAD
                  tar.close()


@@ -173,7 +173,7 @@ tarpath = "/tmp/tmp456/tarball.tar.gz"
 with open(tarpath, "wb") as f:
      f.write(response.raw.read())
 target_dir = "/tmp/unpack"
-tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) # $result=BAD
+tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) # $ result=BAD


 from pathlib import Path
@@ -183,7 +183,7 @@ import boto3
 def default_session() -> boto3.Session:
    _SESSION = None
    if _SESSION is None:
-        _SESSION = boto3.Session() 
+        _SESSION = boto3.Session()
    return _SESSION

 cache = False
@@ -198,4 +198,4 @@ with tempfile.NamedTemporaryFile(suffix=".tar.gz") as tmp:
          target = cache_dir
      else:
          target = Path(tempfile.mkdtemp())
-      shutil.unpack_archive(tmp.name, target) # $result=BAD
+      shutil.unpack_archive(tmp.name, target) # $ result=BAD
--- a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/agent_instructions.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/agent_instructions.py
@@ -6,7 +6,7 @@ app = Flask(__name__)
 def get_input1():
    input = request.args.get("input")

-    agent = Agent(name="Assistant", instructions="This prompt is customized for " + input) # $Alert[py/prompt-injection]
+    agent = Agent(name="Assistant", instructions="This prompt is customized for " + input) # $ Alert[py/prompt-injection]

    result = Runner.run_sync(agent, "This is a user message.")
    print(result.final_output)
@@ -22,9 +22,9 @@ def get_input2():
        input=[
            {
                "role": "user",
-                "content": input, # $Alert[py/prompt-injection]
+                "content": input, # $ Alert[py/prompt-injection]
            }
-        ] 
+        ]
    )

    result2 = Runner.run_sync(
@@ -32,7 +32,7 @@ def get_input2():
        [
            {
                "role": "user",
-                "content": input, # $Alert[py/prompt-injection]
+                "content": input, # $ Alert[py/prompt-injection]
            }
-        ] 
+        ]
    )
--- a/python/ql/test/experimental/query-tests/Security/CWE-176/samples.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-176/samples.py
@@ -7,7 +7,7 @@ app = Flask(__name__)
@app.route("/unsafe1")
 def unsafe1():
    user_input = escape(request.args.get("ui"))
-    normalized_user_input = unicodedata.normalize("NFKC", user_input)  # $result=BAD
+    normalized_user_input = unicodedata.normalize("NFKC", user_input)  # $ result=BAD
    return render_template("result.html", normalized_user_input=normalized_user_input)


@@ -17,7 +17,7 @@ def unsafe1bis():
    if user_input.isascii():
        normalized_user_input = user_input
    else:
-        normalized_user_input = unicodedata.normalize("NFC", user_input)  # $result=BAD
+        normalized_user_input = unicodedata.normalize("NFC", user_input)  # $ result=BAD
    return render_template("result.html", normalized_user_input=normalized_user_input)


@@ -25,6 +25,6 @@ def unsafe1bis():
 def safe1():
    normalized_user_input = unicodedata.normalize(
        "NFKC", request.args.get("ui")
-    )  # $result=OK
+    )  # $ result=OK
    user_input = escape(normalized_user_input)
    return render_template("result.html", normalized_user_input=user_input)