Python: Fixup CWE-079 tests

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected

@@ -1,7 +0,0 @@
-edges
-| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr |
-nodes
-| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
-#select
-| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to $@. | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | a user-provided value |

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.qlref

@@ -1 +0,0 @@
-experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py

@@ -1,15 +0,0 @@
-from flask import Flask, request, make_response, escape
-
-app = Flask(__name__)
-
-
-@app.route("/unsafe")
-def unsafe():
-    first_name = request.args.get("name", "")
-    return make_response("Your name is " + first_name)  # NOT OK
-
-
-@app.route("/safe")
-def safe():
-    first_name = request.args.get("name", "")
-    return make_response("Your name is " + escape(first_name))  # OK

python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -1,9 +1,7 @@
 edges
-| reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
-| reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
-| reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
-| reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
-| reflected_xss.py:8:44:8:53 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
-| reflected_xss.py:8:44:8:53 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr |
+nodes
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 #select
-| reflected_xss.py:8:26:8:53 | BinaryExpr | reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | Attribute | a user-provided value |
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to $@. | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | a user-provided value |

python/ql/test/query-tests/Security/CWE-079/reflected_xss.py

@@ -2,12 +2,14 @@ from flask import Flask, request, make_response, escape
 
 app = Flask(__name__)
 
-@app.route('/unsafe')
-def unsafe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + first_name)
 
-@app.route('/safe')
+@app.route("/unsafe")
+def unsafe():
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + first_name)  # NOT OK
+
+
+@app.route("/safe")
 def safe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + escape(first_name))
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + escape(first_name))  # OK