Python: Update inline-expectation tests

Author: MathiasVP

python/ql/test/experimental/dataflow/global-flow/test.py

@@ -6,7 +6,7 @@
 
 # Multiple assignment
 
-g1, g2 = [6], [7] # $writes=g1 $writes=g2
+g1, g2 = [6], [7] # $writes=g1 writes=g2
 
 # Assignment that's only referenced in this scope. This one will not give rise to a `ModuleVariableNode`.
 
@@ -22,7 +22,7 @@
 
 # The following assignment should not be a `ModuleVariableNode`,
 # but currently our analysis thinks `g_mod` might be used in the `print` call
-g_mod = [10] # $f+:writes=g_mod
+g_mod = [10] # $ SPURIOUS: writes=g_mod
 print("foo")
 g_mod = [100] # $writes=g_mod
 
@@ -81,10 +81,10 @@ def use_foo():
 
 # Partial imports
 
-from bar import baz_attr, quux_attr # $writes=baz_attr $writes=quux_attr
+from bar import baz_attr, quux_attr # $writes=baz_attr writes=quux_attr
 
 def use_partial_import():
-    print(baz_attr, quux_attr) # $reads=baz_attr $reads=quux_attr
+    print(baz_attr, quux_attr) # $reads=baz_attr reads=quux_attr
 
 # Aliased imports
 

python/ql/test/experimental/dataflow/typetracking/attribute_tests.py

@@ -3,99 +3,99 @@ class SomeClass:
 
 def simple_read_write():
     x = SomeClass() # $tracked=foo
-    x.foo = tracked # $tracked $tracked=foo
-    y = x.foo # $tracked=foo $tracked
+    x.foo = tracked # $tracked tracked=foo
+    y = x.foo # $tracked=foo tracked
     do_stuff(y) # $tracked
 
 def foo():
     x = SomeClass() # $tracked=attr
     bar(x) # $tracked=attr
-    x.attr = tracked # $tracked=attr $tracked
+    x.attr = tracked # $tracked=attr tracked
     baz(x) # $tracked=attr
 
 def bar(x): # $tracked=attr
-    z = x.attr # $tracked $tracked=attr
+    z = x.attr # $tracked tracked=attr
     do_stuff(z) # $tracked
 
-def expects_int(x): # $int=field $f+:str=field
-    do_int_stuff(x.field) # $int $f+:str $int=field $f+:str=field
+def expects_int(x): # $int=field SPURIOUS: str=field
+    do_int_stuff(x.field) # $int int=field SPURIOUS: str str=field
 
-def expects_string(x): # $f+:int=field $str=field
-    do_string_stuff(x.field) # $f+:int $str $f+:int=field $str=field
+def expects_string(x): # $ str=field SPURIOUS: int=field
+    do_string_stuff(x.field) # $str str=field SPURIOUS: int int=field
 
 def test_incompatible_types():
     x = SomeClass() # $int,str=field
-    x.field = int(5) # $int=field $f+:str=field $int $f+:str
-    expects_int(x) # $int=field $f+:str=field
-    x.field = str("Hello") # $f+:int=field $str=field $f+:int $str
-    expects_string(x) # $f+:int=field $str=field
+    x.field = int(5) # $int=field int SPURIOUS: str=field str
+    expects_int(x) # $int=field SPURIOUS: str=field
+    x.field = str("Hello") # $str=field str SPURIOUS: int=field int
+    expects_string(x) # $ str=field SPURIOUS: int=field
 
 
 # Attributes assigned statically to a class
 
 class MyClass: # $tracked=field
     field = tracked # $tracked
 
-lookup = MyClass.field # $tracked $tracked=field
+lookup = MyClass.field # $tracked tracked=field
 instance = MyClass() # $tracked=field
-lookup2 = instance.field # $f-:tracked
+lookup2 = instance.field # MISSING: tracked
 
 ## Dynamic attribute access
 
 # Via `getattr`/`setattr`
 
 def setattr_immediate_write():
     x = SomeClass() # $tracked=foo
-    setattr(x,"foo", tracked) # $tracked $tracked=foo
-    y = x.foo # $tracked $tracked=foo
+    setattr(x,"foo", tracked) # $tracked tracked=foo
+    y = x.foo # $tracked tracked=foo
     do_stuff(y) # $tracked
 
 def getattr_immediate_read():
     x = SomeClass() # $tracked=foo
-    x.foo = tracked # $tracked $tracked=foo
-    y = getattr(x,"foo") # $tracked $tracked=foo
+    x.foo = tracked # $tracked tracked=foo
+    y = getattr(x,"foo") # $tracked tracked=foo
     do_stuff(y) # $tracked
 
 def setattr_indirect_write():
     attr = "foo"
     x = SomeClass() # $tracked=foo
-    setattr(x, attr, tracked) # $tracked $tracked=foo
-    y = x.foo # $tracked $tracked=foo
+    setattr(x, attr, tracked) # $tracked tracked=foo
+    y = x.foo # $tracked tracked=foo
     do_stuff(y) # $tracked
 
 def getattr_indirect_read():
     attr = "foo"
     x = SomeClass() # $tracked=foo
-    x.foo = tracked # $tracked $tracked=foo
-    y = getattr(x, attr) #$tracked $tracked=foo
+    x.foo = tracked # $tracked tracked=foo
+    y = getattr(x, attr) #$tracked tracked=foo
     do_stuff(y) # $tracked
 
 # Via `__dict__` -- not currently implemented.
 
 def dunder_dict_immediate_write():
-    x = SomeClass() # $f-:tracked=foo
-    x.__dict__["foo"] = tracked # $tracked $f-:tracked=foo
-    y = x.foo # $f-:tracked $f-:tracked=foo
-    do_stuff(y) # $f-:tracked
+    x = SomeClass() # $ MISSING: tracked=foo
+    x.__dict__["foo"] = tracked # $tracked MISSING: tracked=foo
+    y = x.foo # $ MISSING: tracked tracked=foo
+    do_stuff(y) # $ MISSING: tracked
 
 def dunder_dict_immediate_read():
     x = SomeClass() # $tracked=foo
-    x.foo = tracked # $tracked $tracked=foo
-    y = x.__dict__["foo"] # $f-:tracked $tracked=foo
-    do_stuff(y) # $f-:tracked
+    x.foo = tracked # $tracked tracked=foo
+    y = x.__dict__["foo"] # $ tracked=foo MISSING: tracked
+    do_stuff(y) # $ MISSING: tracked
 
 def dunder_dict_indirect_write():
     attr = "foo"
-    x = SomeClass() # $f-:tracked=foo
-    x.__dict__[attr] = tracked # $tracked $f-:tracked=foo
-    y = x.foo # $f-:tracked $f-:tracked=foo
-    do_stuff(y) # $f-:tracked
+    x = SomeClass() # $ MISSING: tracked=foo
+    x.__dict__[attr] = tracked # $tracked MISSING: tracked=foo
+    y = x.foo # $ MISSING: tracked tracked=foo
+    do_stuff(y) # $ MISSING: tracked
 
 def dunder_dict_indirect_read():
     attr = "foo"
     x = SomeClass() # $tracked=foo
-    x.foo = tracked # $tracked $tracked=foo
-    y = x.__dict__[attr] # $f-:tracked $tracked=foo
-    do_stuff(y) # $f-:tracked
+    x.foo = tracked # $tracked tracked=foo
+    y = x.__dict__[attr] # $ tracked=foo MISSING: tracked
+    do_stuff(y) # $ MISSING: tracked
 
 

python/ql/test/experimental/dataflow/typetracking/test.py

@@ -27,7 +27,7 @@ def baz():
 def id(x): # $tracked
     return x # $tracked
 
-def use_tracked_quux(x): # $f-:tracked
+def use_tracked_quux(x): # $ MISSING: tracked
     do_stuff(y) # call after return -- not tracked in here.
 
 def quux():

python/ql/test/experimental/library-tests/frameworks/dill/Decoding.py

@@ -1,3 +1,3 @@
 import dill
 
-dill.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeMayExecuteInput
+dill.loads(payload)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=dill decodeMayExecuteInput

python/ql/test/experimental/library-tests/frameworks/django-v1/routing_test.py

@@ -4,7 +4,7 @@
 from django.views.generic import View
 
 
-def url_match_xss(request, foo, bar, no_taint=None):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def url_match_xss(request, foo, bar, no_taint=None):  # $routeHandler routedParameter=foo routedParameter=bar
     return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
 
 
@@ -26,22 +26,22 @@ class Foo(object):
     # Note: since Foo is used as the super type in a class view, it will be able to handle requests.
 
 
-    def post(self, request, untrusted):  # $f-:routeHandler $f-:routedParameter=untrusted
+    def post(self, request, untrusted):  # $ MISSING: routeHandler routedParameter=untrusted
         return HttpResponse('Foo post: {}'.format(untrusted))
 
 
 class ClassView(View, Foo):
 
-    def get(self, request, untrusted):  # $f-:routeHandler $f-:routedParameter=untrusted
+    def get(self, request, untrusted):  # $ MISSING: routeHandler routedParameter=untrusted
         return HttpResponse('ClassView get: {}'.format(untrusted))
 
 
-def show_articles(request, page_number=1):  # $routeHandler $routedParameter=page_number
+def show_articles(request, page_number=1):  # $routeHandler routedParameter=page_number
     page_number = int(page_number)
     return HttpResponse('articles page: {}'.format(page_number))
 
 
-def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler $routedParameter=arg0 $routedParameter=arg1
+def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler routedParameter=arg0 routedParameter=arg1
     return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
 
 
@@ -62,7 +62,7 @@ def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler $ro
 ################################################################################
 # Using patterns() for routing
 
-def show_user(request, username):  # $routeHandler $routedParameter=username
+def show_user(request, username):  # $routeHandler routedParameter=username
     return HttpResponse('show_user {}'.format(username))
 
 

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py

@@ -4,7 +4,7 @@
 from django.views import View
 
 
-def url_match_xss(request, foo, bar, no_taint=None):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def url_match_xss(request, foo, bar, no_taint=None):  # $routeHandler routedParameter=foo routedParameter=bar
     return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
 
 
@@ -26,22 +26,22 @@ class Foo(object):
     # Note: since Foo is used as the super type in a class view, it will be able to handle requests.
 
 
-    def post(self, request, untrusted):  # $f-:routeHandler $f-:routedParameter=untrusted
+    def post(self, request, untrusted):  # $ MISSING: routeHandler routedParameter=untrusted
         return HttpResponse('Foo post: {}'.format(untrusted))
 
 
 class ClassView(View, Foo):
 
-    def get(self, request, untrusted):  # $f-:routeHandler $f-:routedParameter=untrusted
+    def get(self, request, untrusted):  #  $ MISSING: routeHandler routedParameter=untrusted
         return HttpResponse('ClassView get: {}'.format(untrusted))
 
 
-def show_articles(request, page_number=1):  # $routeHandler $routedParameter=page_number
+def show_articles(request, page_number=1):  # $routeHandler routedParameter=page_number
     page_number = int(page_number)
     return HttpResponse('articles page: {}'.format(page_number))
 
 
-def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler $routedParameter=arg0 $routedParameter=arg1
+def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler routedParameter=arg0 routedParameter=arg1
     return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
 
 
@@ -75,13 +75,13 @@ def re_path_kwargs(request):  # $routeHandler
 ################################################################################
 
 # saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
-def page_number(request, page_number=1):  # $routeHandler $routedParameter=page_number
+def page_number(request, page_number=1):  # $routeHandler routedParameter=page_number
     return HttpResponse('page_number: {}'.format(page_number))
 
-def foo_bar_baz(request, foo, bar, baz):  # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz
+def foo_bar_baz(request, foo, bar, baz):  # $routeHandler routedParameter=foo routedParameter=bar routedParameter=baz
     return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
 
-def path_kwargs(request, foo, bar):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def path_kwargs(request, foo, bar):  # $routeHandler routedParameter=foo routedParameter=bar
     return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
 
 def not_valid_identifier(request):  # $routeHandler

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py

@@ -3,7 +3,7 @@
 from django.http import HttpRequest
 
 
-def test_taint(request: HttpRequest, foo, bar, baz=None):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def test_taint(request: HttpRequest, foo, bar, baz=None):  # $routeHandler routedParameter=foo routedParameter=bar
     ensure_tainted(foo, bar)
     ensure_not_tainted(baz)
 

python/ql/test/experimental/library-tests/frameworks/django/SqlExecution.py

@@ -23,7 +23,7 @@ def test_model():
     User.objects.annotate(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" $getSql="bar"
     User.objects.annotate(val=RawSQL("some sql"))  # $getSql="some sql"
     User.objects.extra("some sql")  # $getSql="some sql"
-    User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" $getSql="where" $getSql="tables" $getSql="order_by"
+    User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" getSql="where" getSql="tables" getSql="order_by"
 
     raw = RawSQL("so raw")
     User.objects.annotate(val=raw)  # $getSql="so raw"

python/ql/test/experimental/library-tests/frameworks/flask/old_test.py

@@ -11,7 +11,7 @@ def hello_world():  # $routeHandler
 
 class MyView(MethodView):
 
-    def get(self, user_id): # $f-:routeHandler
+    def get(self, user_id): # $ MISSING: routeHandler
         if user_id is None:
             # return a list of users
             pass
@@ -46,21 +46,21 @@ def safe():  # $routeHandler
     return make_response("Your name is " + escape(first_name))
 
 @app.route("/hello/<name>")  # $routeSetup="/hello/<name>"
-def hello(name):  # $routeHandler $routedParameter=name
+def hello(name):  # $routeHandler routedParameter=name
     return make_response("Your name is " + name)
 
 @app.route("/foo/<path:subpath>")  # $routeSetup="/foo/<path:subpath>"
-def foo(subpath):  # $routeHandler $routedParameter=subpath
+def foo(subpath):  # $routeHandler routedParameter=subpath
     return make_response("The subpath is " + subpath)
 
 @app.route("/multiple/")  # $routeSetup="/multiple/"
 @app.route("/multiple/foo/<foo>")  # $routeSetup="/multiple/foo/<foo>"
 @app.route("/multiple/bar/<bar>")  # $routeSetup="/multiple/bar/<bar>"
-def multiple(foo=None, bar=None):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def multiple(foo=None, bar=None):  # $routeHandler routedParameter=foo routedParameter=bar
     return make_response("foo={!r} bar={!r}".format(foo, bar))
 
 @app.route("/complex/<string(length=2):lang_code>")  # $routeSetup="/complex/<string(length=2):lang_code>"
-def complex(lang_code):  # $routeHandler $routedParameter=lang_code
+def complex(lang_code):  # $routeHandler routedParameter=lang_code
     return make_response("lang_code {}".format(lang_code))
 
 if __name__ == "__main__":

python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py

@@ -16,14 +16,14 @@ def index():  # $routeHandler
 
 
 # We don't support this yet, and I think that's OK
-def later_set():  # $f-:routeHandler
+def later_set():  # $ MISSING: routeHandler
     return make_response("later_set")
 app.add_url_rule('/later-set', 'later_set', view_func=None)  # $routeSetup="/later-set"
 app.view_functions['later_set'] = later_set
 
 
 @app.route(UNKNOWN_ROUTE) # $routeSetup
-def unkown_route(foo, bar):  # $routeHandler $routedParameter=foo $routedParameter=bar
+def unkown_route(foo, bar):  # $routeHandler routedParameter=foo routedParameter=bar
     return make_response("unkown_route")