python: Inline expectation should have space after $

This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.
2026-04-29 02:35:15 +02:00 · 2026-03-04 11:42:07 +00:00
parent 0eccd902c2
commit 5a97348e78
61 changed files with 784 additions and 785 deletions
--- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/command_injection.py
+++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/command_injection.py
@@ -10,27 +10,27 @@ app = Flask(__name__)
 def command_injection1():
    files = request.args.get('files', '')
    # Don't let files be `; rm -rf /`
-    os.system("ls " + files) # $result=BAD
+    os.system("ls " + files) # $ result=BAD


@app.route("/command2")
 def command_injection2():
    files = request.args.get('files', '')
    # Don't let files be `; rm -rf /`
-    subprocess.Popen("ls " + files, shell=True) # $result=BAD
+    subprocess.Popen("ls " + files, shell=True) # $ result=BAD


@app.route("/command3")
 def first_arg_injection():
    cmd = request.args.get('cmd', '')
-    subprocess.Popen([cmd, "param1"]) # $result=BAD
+    subprocess.Popen([cmd, "param1"]) # $ result=BAD


@app.route("/other_cases")
 def others():
    files = request.args.get('files', '')
    # Don't let files be `; rm -rf /`
-    os.popen("ls " + files) # $result=BAD
+    os.popen("ls " + files) # $ result=BAD


@app.route("/multiple")
@@ -38,8 +38,8 @@ def multiple():
    command = request.args.get('command', '')
    # We should mark flow to both calls here, which conflicts with removing flow out of
    # a sink due to use-use flow.
-    os.system(command) # $result=BAD
-    os.system(command) # $result=BAD
+    os.system(command) # $ result=BAD
+    os.system(command) # $ result=BAD


@app.route("/not-into-sink-impl")
@@ -52,11 +52,11 @@ def not_into_sink_impl():
    subprocess.call implementation: https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
    """
    command = request.args.get('command', '')
-    os.system(command) # $result=BAD
-    os.popen(command) # $result=BAD
-    subprocess.call(command) # $result=BAD
-    subprocess.check_call(command) # $result=BAD
-    subprocess.run(command) # $result=BAD
+    os.system(command) # $ result=BAD
+    os.popen(command) # $ result=BAD
+    subprocess.call(command) # $ result=BAD
+    subprocess.check_call(command) # $ result=BAD
+    subprocess.run(command) # $ result=BAD


@app.route("/path-exists-not-sanitizer")
@@ -70,11 +70,11 @@ def path_exists_not_sanitizer():
    """
    path = request.args.get('path', '')
    if os.path.exists(path):
-        os.system("ls " + path) # $result=BAD
+        os.system("ls " + path) # $ result=BAD


@app.route("/restricted-characters")
 def restricted_characters():
    path = request.args.get('path', '')
    if re.match(r'^[a-zA-Z0-9_-]+$', path):
-        os.system("ls " + path) # $SPURIOUS: result=BAD
+        os.system("ls " + path) # $ SPURIOUS: result=BAD