Reformat inline expectations (space after $)

2026-04-23 15:55:18 +02:00 · 2025-01-27 14:36:26 +00:00
parent 05fb22e8ff
commit 9f3572d15a
5 changed files with 54 additions and 54 deletions
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
@@ -19,18 +19,18 @@ public class JaxXSS {
    if(!safeContentType) {
      if(chainDirectly) {
        if(contentTypeFirst)
-          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
        else
-          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $xss
+          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss
      }
      else {
        if(contentTypeFirst) {
          Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
-          return builder2.entity(userControlled).build(); // $xss
+          return builder2.entity(userControlled).build(); // $ xss
        }
        else {
          Response.ResponseBuilder builder2 = builder.entity(userControlled);
-          return builder2.type(MediaType.TEXT_HTML).build(); // $xss
+          return builder2.type(MediaType.TEXT_HTML).build(); // $ xss
        }
      }
    }
@@ -105,39 +105,39 @@ public class JaxXSS {
    else {
      if(route == 0) {
        // via ok, as a string literal:
-        return Response.ok("text/html").entity(userControlled).build(); // $xss
+        return Response.ok("text/html").entity(userControlled).build(); // $ xss
      }
      else if(route == 1) {
        // via ok, as a string constant:
-        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
      }
      else if(route == 2) {
        // via ok, as a MediaType constant:
-        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $xss
+        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss
      }
      else if(route == 3) {
        // via ok, as a Variant, via constructor:
-        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
+        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
      }
      else if(route == 4) {
        // via ok, as a Variant, via static method:
-        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
+        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
      }
      else if(route == 5) {
        // via ok, as a Variant, via instance method:
-        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
+        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
      }
      else if(route == 6) {
        // via builder variant, before entity:
-        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
+        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
      }
      else if(route == 7) {
        // via builder variant, after entity:
-        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $xss
+        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss
      }
      else if(route == 8) {
        // provide entity via ok, then content-type via builder:
-        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $xss
+        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss
      }
    }

@@ -162,27 +162,27 @@ public class JaxXSS {

  @GET @Produces(MediaType.TEXT_HTML)
  public static Response methodContentTypeUnsafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
  }

  @POST @Produces(MediaType.TEXT_HTML)
  public static Response methodContentTypeUnsafePost(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
  }

  @GET @Produces("text/html")
  public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
  }

  @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
  public static Response methodContentTypeMaybeSafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
  }

  @GET @Produces(MediaType.APPLICATION_JSON)
  public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
  }

  @GET @Produces(MediaType.TEXT_HTML)
@@ -205,12 +205,12 @@ public class JaxXSS {

    @GET @Produces({"text/html"})
    public Response overridesWithUnsafe(String userControlled) {
-      return Response.ok(userControlled).build(); // $xss
+      return Response.ok(userControlled).build(); // $ xss
    }

    @GET
    public Response overridesWithUnsafe2(String userControlled) {
-      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
+      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
    }
  }

@@ -219,12 +219,12 @@ public class JaxXSS {
  public static class ClassContentTypeUnsafe {
    @GET
    public Response test(String userControlled) {
-      return Response.ok(userControlled).build(); // $xss
+      return Response.ok(userControlled).build(); // $ xss
    }

    @GET
    public String testDirectReturn(String userControlled) {
-      return userControlled; // $xss
+      return userControlled; // $ xss
    }

    @GET @Produces({"application/json"})
@@ -240,12 +240,12 @@ public class JaxXSS {

  @GET
  public static Response entityWithNoMediaType(String userControlled) {
-    return Response.ok(userControlled).build(); // $xss
+    return Response.ok(userControlled).build(); // $ xss
  }

  @GET
  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $xss
+    return userControlled; // $ xss
  }

-}
+}
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
@@ -26,7 +26,7 @@ public class JsfXSS extends Renderer
        writer.write("(function(){");
        writer.write("dswh.init('" + windowId + "','"
                + "......" + "',"
-                + -1 + ",{"); // $xss
+                + -1 + ",{"); // $ xss
        writer.write("});");
        writer.write("})();");
        writer.write("</script>");
@@ -57,13 +57,13 @@ public class JsfXSS extends Renderer
    {
        ExternalContext ec = facesContext.getExternalContext();
        ResponseWriter writer = facesContext.getResponseWriter();
-        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $xss
-        writer.write(ec.getRequestParameterNames().next()); // $xss
-        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $xss
-        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $xss
-        writer.write(ec.getRequestPathInfo()); // $xss
-        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $xss
-        writer.write(ec.getRequestHeaderMap().get("someKey")); // $xss
-        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $xss
+        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss
+        writer.write(ec.getRequestParameterNames().next()); // $ xss
+        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss
+        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss
+        writer.write(ec.getRequestPathInfo()); // $ xss
+        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss
+        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss
+        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss
    }
 }
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java
@@ -6,7 +6,7 @@ import android.webkit.WebSettings;
 public class SetJavascriptEnabled {
    public static void configureWebViewUnsafe(WebView view) {
        WebSettings settings = view.getSettings();
-        settings.setJavaScriptEnabled(true); // $javascriptEnabled
+        settings.setJavaScriptEnabled(true); // $ javascriptEnabled
    }

    public static void configureWebViewSafe(WebView view) {
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -19,11 +19,11 @@ public class SpringXSS {

    if(!safeContentType) {
      if(chainDirectly) {
-        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
      }
      else {
        ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
-        return builder2.body(userControlled); // $xss
+        return builder2.body(userControlled); // $ xss
      }
    }
    else {
@@ -60,22 +60,22 @@ public class SpringXSS {

  @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
  }

  @GetMapping(value = "/xyz", produces = "text/html")
  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
  }

  @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
  }

  @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
  }

  @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -88,13 +88,13 @@ public class SpringXSS {
    // Also try out some alternative constructors for the ResponseEntity:
    switch(constructionMethod) {
      case 0:
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
      case 1:
-      return ResponseEntity.of(Optional.of(userControlled)); // $xss
+      return ResponseEntity.of(Optional.of(userControlled)); // $ xss
      case 2:
-      return ResponseEntity.ok().body(userControlled); // $xss
+      return ResponseEntity.ok().body(userControlled); // $ xss
      case 3:
-      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $xss
+      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
      default:
      return null;
    }
@@ -115,12 +115,12 @@ public class SpringXSS {

    @GetMapping(value = "/xyz", produces = {"text/html"})
    public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
    }

    @GetMapping(value = "/abc")
    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
    }
  }

@@ -129,12 +129,12 @@ public class SpringXSS {
  private static class ClassContentTypeUnsafe {
    @GetMapping(value = "/abc")
    public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $xss
+      return ResponseEntity.ok(userControlled); // $ xss
    }

    @GetMapping(value = "/abc")
    public String testDirectReturn(String userControlled) {
-      return userControlled; // $xss
+      return userControlled; // $ xss
    }

    @GetMapping(value = "/xyz", produces = {"application/json"})
@@ -150,12 +150,12 @@ public class SpringXSS {

  @GetMapping(value = "/abc")
  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $xss
+    return ResponseEntity.ok(userControlled); // $ xss
  }

  @GetMapping(value = "/abc")
  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $xss
+    return userControlled; // $ xss
  }

  @GetMapping(value = "/abc")
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
@@ -16,7 +16,7 @@ public class XSS extends HttpServlet {
 			throws ServletException, IOException {
 		// BAD: a request parameter is written directly to the Servlet response stream
 		response.getWriter()
-				.print("The page \"" + request.getParameter("page") + "\" was not found."); // $xss
+				.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ xss

 		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -31,10 +31,10 @@ public class XSS extends HttpServlet {
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");

 		// BAD: outputting the path of the resource
-		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $xss
+		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ xss

 		// BAD: typical XSS, this time written to an OutputStream instead of a Writer
-		response.getOutputStream().write(request.getPathInfo().getBytes()); // $xss
+		response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss

 		// GOOD: sanitizer
 		response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe