Restrict download_file() to boto3 lib

2025-12-21 19:26:31 +01:00 · 2023-01-25 23:00:00 +01:00
parent 2d38993075
commit 22af6f5182
2 changed files with 22 additions and 2 deletions
--- a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
+++ b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
@@ -36,8 +36,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
      source.(AttrRead).accesses(o, any(string s))
    )
    or
-    // A source catching a S3 filename download
-    exists(API::Node s3 | source = s3.getMember("download_file").getACall().getArg(2))
+    // A source catching an S3 filename download
+    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+    exists(MethodCallNode mcn, Node s3, Node bc |
+      bc = API::moduleImport("boto3").getMember("client").getACall() and
+      bc = s3.getALocalSource() and
+      mcn.calls(s3, "download_file") and
+      source = mcn.getArg(2)
+    )
    or
    // A source download a file using wget
    exists(MethodCallNode mcn |
--- a/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py
@@ -54,3 +54,17 @@ with tempfile.TemporaryDirectory() as temp_dir:
    if unpack_path:
        shutil.unpack_archive(to_path, unpack_path) # $result=BAD
        to_path = unpack_path
+
+
+# A source catching an S3 filename download
+# see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+import boto3
+
+remote_ziped_name = "remote_name.tar.gz"
+base_dir = "/tmp/basedir"
+local_ziped_path = os.path.join(base_dir, remote_ziped_name)
+bucket_name = "mybucket"
+
+s3 = boto3.client('s3')
+s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
+shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD