Autoformat and fix qhelp

Author: smowton

…erimental/Security/CWE/CWE-208/Test.java …E/CWE-208/TimingAttackAgainstHeader.javajava/ql/src/experimental/Security/CWE/CWE-208/Test.java renamed to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.java java/ql/src/experimental/Security/CWE/CWE-208/Test.java renamed to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.java

@@ -22,7 +22,7 @@ and does not depend on the contents of the arrays.
 The following example uses <code>String.equals()</code> method for validating a csrf token.
 This method implements a non-constant-time algorithm. The example also demonstrates validation using a safe constant-time algorithm.
 </p>
-<sample src="ComparingValueOfSensetiveHeader.java" />
+<sample src="TimingAttackAgainstHeader.java" />
 </example>
 </qhelp>
 

java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.qhelp

@@ -10,7 +10,6 @@
  *       external/cwe/cwe-208
  */
 
-
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
@@ -28,29 +27,26 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {
 /** Methods that use a non-constant-time algorithm for comparing inputs. */
 private class NonConstantTimeEqualsCall extends MethodAccess {
   NonConstantTimeEqualsCall() {
-    this.getMethod().hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"])
+    this.getMethod()
+        .hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"])
   }
 }
 
 private predicate isNonConstantEqualsCallArgument(Expr e) {
-  exists(NonConstantTimeEqualsCall call |
-    e = [call.getQualifier(), call.getArgument(0)]
-  )
+  exists(NonConstantTimeEqualsCall call | e = [call.getQualifier(), call.getArgument(0)])
 }
 
 private predicate isNonConstantComparisonCallArgument(Expr p) {
-   exists(NonConstantTimeComparisonCall call |
-     p = [call.getArgument(0), call.getArgument(1)]
-   )
+  exists(NonConstantTimeComparisonCall call | p = [call.getArgument(0), call.getArgument(1)])
 }
 
 class ClientSuppliedIpTokenCheck extends DataFlow::Node {
   ClientSuppliedIpTokenCheck() {
     exists(MethodAccess ma |
       ma.getMethod().hasName("getHeader") and
       ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-          "x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header", 
-           "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization"
+          "x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header",
+          "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization"
         ] and
       ma = this.asExpr()
     )
@@ -60,14 +56,17 @@ class ClientSuppliedIpTokenCheck extends DataFlow::Node {
 class NonConstantTimeComparisonConfig extends TaintTracking::Configuration {
   NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedIpTokenCheck }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof ClientSuppliedIpTokenCheck
+  }
 
-  override predicate isSink(DataFlow::Node sink) {   
-    isNonConstantEqualsCallArgument(sink.asExpr()) or 
+  override predicate isSink(DataFlow::Node sink) {
+    isNonConstantEqualsCallArgument(sink.asExpr()) or
     isNonConstantComparisonCallArgument(sink.asExpr())
   }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", source.getNode()
+select sink.getNode(), source, sink, "Possible timing attack against $@ validation.",
+  source.getNode()