Restrict download_file() to boto3 lib

python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py

@@ -54,3 +54,17 @@ with tempfile.TemporaryDirectory() as temp_dir:
     if unpack_path:
         shutil.unpack_archive(to_path, unpack_path) # $result=BAD
         to_path = unpack_path
+
+
+# A source catching an S3 filename download
+# see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+import boto3
+
+remote_ziped_name = "remote_name.tar.gz"
+base_dir = "/tmp/basedir"
+local_ziped_path = os.path.join(base_dir, remote_ziped_name)
+bucket_name = "mybucket"
+
+s3 = boto3.client('s3')
+s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
+shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD