11/**
2- * @name Arbitrary file write during a remotely downloaded tarball extraction
3- * @description Extracting files from a malicious tarball using `shutil.unpack_archive()` without validating
2+ * @name Arbitrary file write during a tarball extraction from user controlled source
3+ * @description Extracting files from a potentially malicious tarball using `shutil.unpack_archive()` without validating
44 * that the destination file path is within the destination directory can cause files outside
5- * the destination directory to be overwritten. More precisely, if the tarball comes from a remote location.
5+ * the destination directory to be overwritten. More precisely, if the tarball comes from a user controlled
6+ * location either a remote one or cli argument.
67 * @kind path-problem
78 * @id py/unsafe-unpacking
89 * @problem.severity error
@@ -26,6 +27,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
2627 override predicate isSource ( DataFlow:: Node source ) {
2728 // A source coming from a remote location
2829 exists ( Http:: Client:: Request request | source = request )
30+ or
31+ // A source coming from a CLI argparse module
32+ exists ( Node o , API:: Node ap , MethodCallNode args |
33+ ap = API:: moduleImport ( "argparse" ) .getMember ( "ArgumentParser" ) .getACall ( ) .getReturn ( ) and
34+ args = ap .getMember ( "parse_args" ) .getACall ( ) and
35+ args .flowsTo ( o ) and
36+ source .( AttrRead ) .accesses ( o , any ( string s ) )
37+ )
2938 }
3039
3140 override predicate isSink ( DataFlow:: Node sink ) {
@@ -54,7 +63,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
5463 // Accessing the name
5564 exists ( AttrRead ar | ar .accesses ( nodeFrom , "name" ) and nodeTo = ar )
5665 or
57- // Considering closing use
66+ // Considering the use of closing()
5867 exists ( API:: Node closing |
5968 closing = API:: moduleImport ( "contextlib" ) .getMember ( "closing" ) and
6069 closing .getACall ( ) .flowsTo ( nodeTo ) and
0 commit comments