C#: Inline expectation should have space after $

owen-mc · owen-mc · commit 45eb14975a3e · 2026-03-04T12:45:02.000Z
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
     public void CookieDefault()
     {
-        Response.Cookies.Append("auth", "value"); // $Alert // BAD: HttpOnly is set to false by default
+        Response.Cookies.Append("auth", "value"); // $ Alert // BAD: HttpOnly is set to false by default
     }
 
     public void CookieDefault2()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
         Response.Cookies.Append("auth", "value", cookieOptions); // BAD: HttpOnly is set to false by default
     }
 
@@ -39,14 +39,14 @@ void CookieDirectTrueInitializer()
 
     void CookieDirectFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
         cookieOptions.HttpOnly = false;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $ Alert
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
@@ -67,7 +67,7 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
         bool v = false;
         cookieOptions.HttpOnly = v;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -76,7 +76,7 @@ void CookieIntermediateFalse()
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $MISSING:Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $ MISSING:Alert
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
@@ -13,7 +13,7 @@ void CookieDirectTrueInitializer()
 
     void CookieDefault()
     {
-        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default
+        var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert // BAD: httpOnlyCookies is set to false by default
     }
 
     void CookieDefaultForgery()
@@ -29,13 +29,13 @@ void CookieForgeryDirectFalse()
 
     void CookieDirectFalse()
     {
-        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert 
+        var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert
         cookie.HttpOnly = false; // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $Alert // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $ Alert // BAD
     }
 
     void CookieIntermediateTrue()
@@ -53,14 +53,14 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert 
+        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert
         bool v = false;
         cookie.HttpOnly = v; // BAD
     }
 
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $MISSING:Alert // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $ MISSING:Alert // BAD
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
     public void CookieDefault()
     {
-        Response.Cookies.Append("name", "value"); // $Alert // BAD: Secure is set to false by default
+        Response.Cookies.Append("name", "value"); // $ Alert // BAD: Secure is set to false by default
     }
 
     public void CookieDefault2()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
         Response.Cookies.Append("name", "value", cookieOptions); // BAD: Secure is set to false by default
     }
 
@@ -32,14 +32,14 @@ void CookieDirectTrueInitializer()
 
     void CookieDirectFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
         cookieOptions.Secure = false;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $ Alert
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
     }
 
@@ -60,7 +60,7 @@ void CookieIntermediateTrueInitializer()
 
     void CookieIntermediateFalse()
     {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
         bool v = false;
         cookieOptions.Secure = v;
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -69,7 +69,7 @@ void CookieIntermediateFalse()
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $MISSING:Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $ MISSING:Alert
         Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
@@ -2,7 +2,7 @@ class Program
 {
     void CookieDefault()
     {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert // BAD: requireSSL is set to false by default
     }
 
     void CookieDirectTrue()
@@ -31,25 +31,25 @@ void CookieIntermediateTrueInitializer()
 
     void CookieDirectFalse()
     {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert 
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert
         cookie.Secure = false; // BAD
     }
 
     void CookieDirectFalseInitializer()
     {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $ Alert // BAD
     }
 
         void CookieIntermediateFalse()
     {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ MISSING:Alert
         bool v = false;
         cookie.Secure = v; // BAD, but not detected
     }
 
     void CookieIntermediateFalseInitializer()
     {
         bool v = false;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $ MISSING:Alert // BAD, but not detected
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller`
`2`	`2`	`{`
`3`	`3`	`public void CookieDefault()`
`4`	`4`	`{`
`5`		`- Response.Cookies.Append("auth", "value"); // $Alert // BAD: HttpOnly is set to false by default`
	`5`	`+ Response.Cookies.Append("auth", "value"); // $ Alert // BAD: HttpOnly is set to false by default`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`public void CookieDefault2()`
`9`	`9`	`{`
`10`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert`
	`10`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert`
`11`	`11`	`Response.Cookies.Append("auth", "value", cookieOptions); // BAD: HttpOnly is set to false by default`
`12`	`12`	`}`
`13`	`13`
`@@ -39,14 +39,14 @@ void CookieDirectTrueInitializer()`
`39`	`39`
`40`	`40`	`void CookieDirectFalse()`
`41`	`41`	`{`
`42`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert`
	`42`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert`
`43`	`43`	`cookieOptions.HttpOnly = false;`
`44`	`44`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`void CookieDirectFalseInitializer()`
`48`	`48`	`{`
`49`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $Alert`
	`49`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $ Alert`
`50`	`50`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD`
`51`	`51`	`}`
`52`	`52`
`@@ -67,7 +67,7 @@ void CookieIntermediateTrueInitializer()`
`67`	`67`
`68`	`68`	`void CookieIntermediateFalse()`
`69`	`69`	`{`
`70`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert`
	`70`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert`
`71`	`71`	`bool v = false;`
`72`	`72`	`cookieOptions.HttpOnly = v;`
`73`	`73`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected`
`@@ -76,7 +76,7 @@ void CookieIntermediateFalse()`
`76`	`76`	`void CookieIntermediateFalseInitializer()`
`77`	`77`	`{`
`78`	`78`	`bool v = false;`
`79`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $MISSING:Alert`
	`79`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $ MISSING:Alert`
`80`	`80`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected`
`81`	`81`	`}`
`82`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ void CookieDirectTrueInitializer()`
`13`	`13`
`14`	`14`	`void CookieDefault()`
`15`	`15`	`{`
`16`		`- var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default`
	`16`	`+ var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert // BAD: httpOnlyCookies is set to false by default`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`void CookieDefaultForgery()`
`@@ -29,13 +29,13 @@ void CookieForgeryDirectFalse()`
`29`	`29`
`30`	`30`	`void CookieDirectFalse()`
`31`	`31`	`{`
`32`		`- var cookie = new System.Web.HttpCookie("sessionID"); // $Alert`
	`32`	`+ var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert`
`33`	`33`	`cookie.HttpOnly = false; // BAD`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`void CookieDirectFalseInitializer()`
`37`	`37`	`{`
`38`		`- var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // $Alert // BAD`
	`38`	`+ var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // $ Alert // BAD`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`void CookieIntermediateTrue()`
`@@ -53,14 +53,14 @@ void CookieIntermediateTrueInitializer()`
`53`	`53`
`54`	`54`	`void CookieIntermediateFalse()`
`55`	`55`	`{`
`56`		`- var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert`
	`56`	`+ var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert`
`57`	`57`	`bool v = false;`
`58`	`58`	`cookie.HttpOnly = v; // BAD`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`void CookieIntermediateFalseInitializer()`
`62`	`62`	`{`
`63`	`63`	`bool v = false;`
`64`		`- var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // $MISSING:Alert // BAD`
	`64`	`+ var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // $ MISSING:Alert // BAD`
`65`	`65`	`}`
`66`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller`
`2`	`2`	`{`
`3`	`3`	`public void CookieDefault()`
`4`	`4`	`{`
`5`		`- Response.Cookies.Append("name", "value"); // $Alert // BAD: Secure is set to false by default`
	`5`	`+ Response.Cookies.Append("name", "value"); // $ Alert // BAD: Secure is set to false by default`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`public void CookieDefault2()`
`9`	`9`	`{`
`10`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert`
	`10`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert`
`11`	`11`	`Response.Cookies.Append("name", "value", cookieOptions); // BAD: Secure is set to false by default`
`12`	`12`	`}`
`13`	`13`
`@@ -32,14 +32,14 @@ void CookieDirectTrueInitializer()`
`32`	`32`
`33`	`33`	`void CookieDirectFalse()`
`34`	`34`	`{`
`35`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert`
	`35`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert`
`36`	`36`	`cookieOptions.Secure = false;`
`37`	`37`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`void CookieDirectFalseInitializer()`
`41`	`41`	`{`
`42`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $Alert`
	`42`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $ Alert`
`43`	`43`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD`
`44`	`44`	`}`
`45`	`45`
`@@ -60,7 +60,7 @@ void CookieIntermediateTrueInitializer()`
`60`	`60`
`61`	`61`	`void CookieIntermediateFalse()`
`62`	`62`	`{`
`63`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert`
	`63`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert`
`64`	`64`	`bool v = false;`
`65`	`65`	`cookieOptions.Secure = v;`
`66`	`66`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected`
`@@ -69,7 +69,7 @@ void CookieIntermediateFalse()`
`69`	`69`	`void CookieIntermediateFalseInitializer()`
`70`	`70`	`{`
`71`	`71`	`bool v = false;`
`72`		`- var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $MISSING:Alert`
	`72`	`+ var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $ MISSING:Alert`
`73`	`73`	`Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected`
`74`	`74`	`}`
`75`	`75`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ class Program`
`2`	`2`	`{`
`3`	`3`	`void CookieDefault()`
`4`	`4`	`{`
`5`		`- var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default`
	`5`	`+ var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert // BAD: requireSSL is set to false by default`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`void CookieDirectTrue()`
`@@ -31,25 +31,25 @@ void CookieIntermediateTrueInitializer()`
`31`	`31`
`32`	`32`	`void CookieDirectFalse()`
`33`	`33`	`{`
`34`		`- var cookie = new System.Web.HttpCookie("cookieName"); // $Alert`
	`34`	`+ var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert`
`35`	`35`	`cookie.Secure = false; // BAD`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`void CookieDirectFalseInitializer()`
`39`	`39`	`{`
`40`		`- var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD`
	`40`	`+ var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $ Alert // BAD`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`void CookieIntermediateFalse()`
`44`	`44`	`{`
`45`		`- var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert`
	`45`	`+ var cookie = new System.Web.HttpCookie("cookieName"); // $ MISSING:Alert`
`46`	`46`	`bool v = false;`
`47`	`47`	`cookie.Secure = v; // BAD, but not detected`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`void CookieIntermediateFalseInitializer()`
`51`	`51`	`{`
`52`	`52`	`bool v = false;`
`53`		`- var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected`
	`53`	`+ var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $ MISSING:Alert // BAD, but not detected`
`54`	`54`	`}`
`55`	`55`	`}`