Restrict download_file() to boto3 lib

Sim4n6 · Sim4n6 · commit 22af6f518272 · 2023-01-25T23:00:00.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
@@ -36,8 +36,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
       source.(AttrRead).accesses(o, any(string s))
     )
     or
-    // A source catching a S3 filename download
-    exists(API::Node s3 | source = s3.getMember("download_file").getACall().getArg(2))
+    // A source catching an S3 filename download
+    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+    exists(MethodCallNode mcn, Node s3, Node bc |
+      bc = API::moduleImport("boto3").getMember("client").getACall() and
+      bc = s3.getALocalSource() and
+      mcn.calls(s3, "download_file") and
+      source = mcn.getArg(2)
+    )
     or
     // A source download a file using wget
     exists(MethodCallNode mcn |
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py b/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py
@@ -54,3 +54,17 @@
     if unpack_path:
         shutil.unpack_archive(to_path, unpack_path) # $result=BAD
         to_path = unpack_path
+
+
+# A source catching an S3 filename download
+# see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+import boto3
+
+remote_ziped_name = "remote_name.tar.gz"
+base_dir = "/tmp/basedir"
+local_ziped_path = os.path.join(base_dir, remote_ziped_name)
+bucket_name = "mybucket"
+
+s3 = boto3.client('s3')
+s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
+shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD
