py: Inline expectation should have space before $

2026-04-26 17:25:19 +02:00 · 2026-03-04 12:09:22 +00:00
parent ea30f02271
commit 91b6801db1
69 changed files with 891 additions and 892 deletions
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.py
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.py
@@ -1,31 +1,31 @@
 # Not OK
 def simple(l = [0]):
-    l[0] = 1  #$ modification=l
+    l[0] = 1  # $ modification=l
    return l

 # Not OK
 def slice(l = [0]):
-    l[0:1] = 1  #$ modification=l
+    l[0:1] = 1  # $ modification=l
    return l

 # Not OK
 def list_del(l = [0]):
-    del l[0]  #$ modification=l
+    del l[0]  # $ modification=l
    return l

 # Not OK
 def append_op(l = []):
-    l += [1, 2, 3]  #$ modification=l
+    l += [1, 2, 3]  # $ modification=l
    return l

 # Not OK
 def repeat_op(l = [0]):
-    l *= 3  #$ modification=l
+    l *= 3  # $ modification=l
    return l

 # Not OK
 def append(l = []):
-    l.append(1)  #$ modification=l
+    l.append(1)  # $ modification=l
    return l

 # OK
@@ -36,7 +36,7 @@ def includes(l = []):
    return x

 def extends(l):
-    l.extend([1])  #$ modification=l
+    l.extend([1])  # $ modification=l
    return l

 # Not OK
@@ -46,26 +46,26 @@ def deferred(l = []):

 # Not OK
 def nonempty(l = [5]):
-    l.append(1)  #$ modification=l
+    l.append(1)  # $ modification=l
    return l

 # Not OK
 def dict(d = {}):
-    d['a'] = 1  #$ modification=d
+    d['a'] = 1  # $ modification=d
    return d

 # Not OK
 def dict_nonempty(d = {'a': 1}):
-    d['a'] = 2  #$ modification=d
+    d['a'] = 2  # $ modification=d
    return d

 # OK
 def dict_nonempty_nochange(d = {'a': 1}):
-    d['a'] = 1  #$ SPURIOUS: modification=d
+    d['a'] = 1  # $ SPURIOUS: modification=d
    return d

 def modifies(d):
-    d['a'] = 1  #$ modification=d
+    d['a'] = 1  # $ modification=d
    return d

 # Not OK
@@ -75,21 +75,21 @@ def dict_deferred(d = {}):

 # Not OK
 def dict_method(d = {}):
-    d.update({'a': 1})  #$ modification=d
+    d.update({'a': 1})  # $ modification=d
    return d

 # Not OK
 def dict_method_nonempty(d = {'a': 1}):
-    d.update({'a': 2})  #$ modification=d
+    d.update({'a': 2})  # $ modification=d
    return d

 # OK
 def dict_method_nonempty_nochange(d = {'a': 1}):
-    d.update({'a': 1})  #$ SPURIOUS:modification=d
+    d.update({'a': 1})  # $ SPURIOUS:modification=d
    return d

 def modifies_method(d):
-    d.update({'a': 1})  #$ modification=d
+    d.update({'a': 1})  # $ modification=d
    return d

 # Not OK
@@ -106,55 +106,55 @@ def dict_includes(d = {}):

 # Not OK
 def dict_del(d = {'a': 1}):
-    del d['a']  #$ modification=d
+    del d['a']  # $ modification=d
    return d

 # Not OK
 def dict_update_op(d = {}):
    x = {'a': 1}
-    d |= x  #$ modification=d
+    d |= x  # $ modification=d
    return d

 # OK
 def dict_update_op_nochange(d = {}):
    x = {}
-    d |= x  #$ SPURIOUS: modification=d
+    d |= x  # $ SPURIOUS: modification=d
    return d

 def sanitizer(l = []):
    if l:
        l.append(1)
    else:
-        l.append(1)  #$ modification=l
+        l.append(1)  # $ modification=l
    return l

 def sanitizer_negated(l = [1]):
    if not l:
        l.append(1)
    else:
-        l.append(1)  #$ modification=l
+        l.append(1)  # $ modification=l
    return l

 def sanitizer(l = []):
    if not l:
-        l.append(1)  #$ modification=l
+        l.append(1)  # $ modification=l
    else:
        l.append(1)
    return l

 def sanitizer_negated(l = [1]):
    if l:
-        l.append(1)  #$ modification=l
+        l.append(1)  # $ modification=l
    else:
        l.append(1)
    return l

 # indirect modification of parameter with default
 def aug_assign_argument(x):
-    x += ['x'] #$ modification=x
+    x += ['x'] # $ modification=x

 def mutate_argument(x):
-    x.append('x') #$ modification=x
+    x.append('x') # $ modification=x

 def indirect_modification(y = []):
    aug_assign_argument(y)
@@ -182,9 +182,9 @@ def do_stuff_based_on_type(x):
    if isinstance(x, str):
        x = x.split()
    elif isinstance(x, dict):
-        x.setdefault('foo', 'bar') #$ modification=x
+        x.setdefault('foo', 'bar') # $ modification=x
    elif isinstance(x, list):
-        x.append(5) #$ modification=x
+        x.append(5) # $ modification=x
    elif isinstance(x, tuple):
        x = x.unknown_method()

--- a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/Exceptions.py
+++ b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/Exceptions.py
@@ -1,10 +1,10 @@
 try:
    1+2
-except Exception as e:  #$ exceptionInfo
+except Exception as e:  # $ exceptionInfo
    e

 def test_exception():
    try:
        1+2
-    except Exception as e:  #$ exceptionInfo
+    except Exception as e:  # $ exceptionInfo
        e
--- a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/Stacktrace.py
+++ b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/Stacktrace.py
@@ -3,13 +3,13 @@ import sys, traceback
 try:
    1/0
 except:
-    exc_type, exc_value, exc_traceback = sys.exc_info() #$ exceptionInfo
+    exc_type, exc_value, exc_traceback = sys.exc_info() # $ exceptionInfo

-    tb = traceback.extract_tb(exc_traceback) #$ exceptionInfo
-    stack = traceback.extract_stack() #$ exceptionInfo
-    print(traceback.format_exc(1, tb)) #$ exceptionInfo
-    print(traceback.format_exception(exc_type, exc_value, exc_traceback)) #$ exceptionInfo
-    print(traceback.format_exception_only(None, exc_value)) #$ exceptionInfo
-    print(traceback.format_list(stack)) #$ exceptionInfo
-    print(traceback.format_stack()) #$ exceptionInfo
-    print(traceback.format_tb(exc_traceback)) #$ exceptionInfo
+    tb = traceback.extract_tb(exc_traceback) # $ exceptionInfo
+    stack = traceback.extract_stack() # $ exceptionInfo
+    print(traceback.format_exc(1, tb)) # $ exceptionInfo
+    print(traceback.format_exception(exc_type, exc_value, exc_traceback)) # $ exceptionInfo
+    print(traceback.format_exception_only(None, exc_value)) # $ exceptionInfo
+    print(traceback.format_list(stack)) # $ exceptionInfo
+    print(traceback.format_stack()) # $ exceptionInfo
+    print(traceback.format_tb(exc_traceback)) # $ exceptionInfo
--- a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/test.py
+++ b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/test.py
@@ -13,14 +13,14 @@ def server_bad():
    try:
        do_computation()
    except Exception:
-        return traceback.format_exc()  #$ exceptionInfo
+        return traceback.format_exc()  # $ exceptionInfo

 # BAD
@app.route('/bad/direct')
 def server_bad_direct():
    try:
        do_computation()
-    except Exception as e:  #$ exceptionInfo
+    except Exception as e:  # $ exceptionInfo
        return e

 # BAD
@@ -28,7 +28,7 @@ def server_bad_direct():
 def server_bad_traceback():
    try:
        do_computation()
-    except Exception as e:  #$ exceptionInfo
+    except Exception as e:  # $ exceptionInfo
        return e.__traceback__

 # GOOD
@@ -37,7 +37,7 @@ def server_good():
    try:
        do_computation()
    except Exception:
-        log(traceback.format_exc())  #$ exceptionInfo
+        log(traceback.format_exc())  # $ exceptionInfo
        return "An internal error has occurred!"

 #BAD
@@ -46,7 +46,7 @@ def server_bad_flow():
    try:
        do_computation()
    except Exception:
-        err = traceback.format_exc()  #$ exceptionInfo
+        err = traceback.format_exc()  # $ exceptionInfo
        return format_error(err)

 def format_error(msg):
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py
@@ -19,7 +19,7 @@ def subclass_objects():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)

-    return Movie.objects(__raw__=json_search)  #$ result=BAD
+    return Movie.objects(__raw__=json_search)  # $ result=BAD

@app.route("/get_db_find")
 def get_db_find():
@@ -27,7 +27,7 @@ def get_db_find():
    json_search = json.loads(unsafe_search)

    retrieved_db = db.get_db()
-    return retrieved_db["Movie"].find({'name': json_search})  #$ result=BAD
+    return retrieved_db["Movie"].find({'name': json_search})  # $ result=BAD

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py
@@ -21,7 +21,7 @@ def subclass_objects():
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

-    return Movie.objects(__raw__=safe_search)  #$ result=OK
+    return Movie.objects(__raw__=safe_search)  # $ result=OK

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py
@@ -11,7 +11,7 @@ def home_page():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)

-    return mongo.db.user.find({'name': json_search})  #$ result=BAD
+    return mongo.db.user.find({'name': json_search})  # $ result=BAD

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py
@@ -13,7 +13,7 @@ def home_page():
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

-    return mongo.db.user.find({'name': safe_search})  #$ result=OK
+    return mongo.db.user.find({'name': safe_search})  # $ result=OK

 # if __name__ == "__main__":
 #    app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py
@@ -19,7 +19,7 @@ def connect_find():
    json_search = json.loads(unsafe_search)

    db = me.connect('mydb')
-    return db.movie.find({'name': json_search})  #$ result=BAD
+    return db.movie.find({'name': json_search})  # $ result=BAD

@app.route("/connection_connect_find")
 def connection_connect_find():
@@ -27,7 +27,7 @@ def connection_connect_find():
    json_search = json.loads(unsafe_search)

    db = connect('mydb')
-    return db.movie.find({'name': json_search})  #$ result=BAD
+    return db.movie.find({'name': json_search})  # $ result=BAD

@app.route("/get_db_find")
 def get_db_find():
@@ -35,7 +35,7 @@ def get_db_find():
    json_search = json.loads(unsafe_search)

    db = me.get_db()
-    return db.movie.find({'name': json_search})  #$ result=BAD
+    return db.movie.find({'name': json_search})  # $ result=BAD

@app.route("/connection_get_db_find")
 def connection_get_db_find():
@@ -43,14 +43,14 @@ def connection_get_db_find():
    json_search = json.loads(unsafe_search)

    db = get_db()
-    return db.movie.find({'name': json_search})  #$ result=BAD
+    return db.movie.find({'name': json_search})  # $ result=BAD

@app.route("/subclass_objects")
 def subclass_objects():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)

-    return Movie.objects(__raw__=json_search)  #$ result=BAD
+    return Movie.objects(__raw__=json_search)  # $ result=BAD

@app.route("/subscript_find")
 def subscript_find():
@@ -58,7 +58,7 @@ def subscript_find():
    json_search = json.loads(unsafe_search)

    db = me.connect('mydb')
-    return db['movie'].find({'name': json_search})  #$ result=BAD
+    return db['movie'].find({'name': json_search})  # $ result=BAD

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py
@@ -20,8 +20,8 @@ def connect_find():
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

-    db = me.connect('mydb')  
-    return db.movie.find({'name': safe_search})  #$ result=OK
+    db = me.connect('mydb')
+    return db.movie.find({'name': safe_search})  # $ result=OK

 # if __name__ == "__main__":
 #     app.run(debug=True)
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py
@@ -12,7 +12,7 @@ def bad():
    unsafe_search = request.args['search']
    json_search = json.loads(unsafe_search)

-    return client.db.collection.find_one({'data': json_search})  #$ result=BAD
+    return client.db.collection.find_one({'data': json_search})  # $ result=BAD


@app.route("/good")
@@ -21,7 +21,7 @@ def good():
    json_search = json.loads(unsafe_search)
    safe_search = sanitize(json_search)

-    return client.db.collection.find_one({'data': safe_search})  #$ result=OK
+    return client.db.collection.find_one({'data': safe_search})  # $ result=OK


@app.route("/bad2")
@@ -30,7 +30,7 @@ def bad2():
    client = MongoClient("localhost", 27017, maxPoolSize=50)
    db = client.localhost
    collection = db['collection']
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  #$ result=BAD
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  # $ result=BAD


@app.route("/bad3")
@@ -40,7 +40,7 @@ def bad3():
    client = MongoClient("localhost", 27017, maxPoolSize=50)
    db = client.get_database(name="localhost")
    collection = db.get_collection("collection")
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  #$ result=BAD
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  # $ result=BAD


@app.route("/bad4")