Restrict download_file() to boto3 lib

python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql

@@ -36,8 +36,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
       source.(AttrRead).accesses(o, any(string s))
     )
     or
-    // A source catching a S3 filename download
-    exists(API::Node s3 | source = s3.getMember("download_file").getACall().getArg(2))
+    // A source catching an S3 filename download
+    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+    exists(MethodCallNode mcn, Node s3, Node bc |
+      bc = API::moduleImport("boto3").getMember("client").getACall() and
+      bc = s3.getALocalSource() and
+      mcn.calls(s3, "download_file") and
+      source = mcn.getArg(2)
+    )
     or
     // A source download a file using wget
     exists(MethodCallNode mcn |