Python: Make sure that expected values with tag mimetype is wrapped in quotes if the value contains a space.

Author: MathiasVP

python/ql/test/experimental/library-tests/frameworks/django-v1/ConceptsTest.expected

@@ -1,8 +0,0 @@
-| response_test.py:21:12:21:56 | ControlFlowNode for HttpResponseRedirect() | Unexpected result: mimetype=text/html; charset=utf-8 |
-| response_test.py:21:59:21:132 | Comment # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute() | Missing result:mimetype=text/html; |
-| response_test.py:25:12:25:56 | ControlFlowNode for HttpResponseNotFound() | Unexpected result: mimetype=text/html; charset=utf-8 |
-| response_test.py:25:59:25:132 | Comment # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute() | Missing result:mimetype=text/html; |
-| response_test.py:32:16:32:29 | ControlFlowNode for HttpResponse() | Unexpected result: mimetype=text/html; charset=utf-8 |
-| response_test.py:32:32:32:80 | Comment # $HttpResponse mimetype=text/html; charset=utf-8 | Missing result:mimetype=text/html; |
-| response_test.py:33:5:33:43 | ControlFlowNode for Attribute() | Unexpected result: mimetype=text/html; charset=utf-8 |
-| response_test.py:33:46:33:119 | Comment # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute() | Missing result:mimetype=text/html; |

python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py

@@ -18,19 +18,19 @@ def safe__manual_content_type(request):
 # XSS FP reported in https://github.com/github/codeql/issues/3466
 # Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
-    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute()
+    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
-    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute()
+    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
 
 # Ensure we still have an XSS sink when manually setting the content_type to HTML
 def xss__manual_response_type(request):
     return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=Attribute()
 
 def xss__write(request):
-    response = HttpResponse()  # $HttpResponse mimetype=text/html; charset=utf-8
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html; charset=utf-8 responseBody=Attribute()
+    response = HttpResponse()  # $HttpResponse mimetype="text/html; charset=utf-8"
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
 
 # This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
 def safe__write_json(request):

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -178,7 +178,14 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpResponse response |
         location = response.getLocation() and
         element = response.toString() and
-        value = response.getMimetype() and
+        // Ensure that an expectation value such as "mimetype=text/html; charset=utf-8" is parsed as a
+        // single expectation with tag mimetype, and not as two expecations with tags mimetype and
+        // charset.
+        (
+          if exists(response.getMimetype().indexOf(" "))
+          then value = "\"" + response.getMimetype() + "\""
+          else value = response.getMimetype()
+        ) and
         tag = "mimetype"
       )
     )