Copying the response data to the archive

Sim4n6 · Sim4n6 · commit eff132512c3b · 2022-12-10T08:15:42.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
@@ -53,15 +53,24 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
         nodeTo = is.(CallCfgNode).getArg(0)
       )
       or
+      // Copying the response data to the archive
+      exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
+        is.flowsTo(f) and
+        mc = API::moduleImport("shutil").getMember("copyfileobj").getACall() and
+        f = mc.getArg(1) and 
+        nodeFrom = mc.getArg(0) and
+        nodeTo = is.(CallCfgNode).getArg(0)
+      )
+      or
       // Reading the response
       exists(MethodCallNode mc |
         nodeFrom = mc.getObject() and
         mc.getMethodName() = "read" and
         mc.flowsTo(nodeTo)
       )
       or
-      // Accessing the name
-      exists(AttrRead ar | ar.accesses(nodeFrom, "name") and nodeTo = ar)
+      // Accessing the name or raw content
+      exists(AttrRead ar | ar.accesses(nodeFrom, ["name","raw"]) and nodeTo = ar)
       or
       // Considering the use of closing()
       exists(API::Node closing |
