Optimize the Argparse filename as a source.

python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql

@@ -28,12 +28,17 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     // A source coming from a remote location
     exists(Http::Client::Request request | source = request)
     or
-    //A source coming from a CLI argparse module
-    exists(Node o, API::Node ap, MethodCallNode args |
-      ap = API::moduleImport("argparse").getMember("ArgumentParser").getACall().getReturn() and
-      args = ap.getMember("parse_args").getACall() and
-      args.flowsTo(o) and
-      source.(AttrRead).accesses(o, any(string s))
+    // A source coming from a CLI argparse module
+    // see argparse: https://docs.python.org/3/library/argparse.html
+    exists(MethodCallNode args |
+      args = source.(AttrRead).getObject().getALocalSource() and
+      args =
+        API::moduleImport("argparse")
+            .getMember("ArgumentParser")
+            .getACall()
+            .getReturn()
+            .getMember("parse_args")
+            .getACall()
     )
     or
     // A source catching an S3 filename download

python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py

@@ -87,3 +87,17 @@ shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
 # download(url) returns filename
 compressed_file = wget.download(url)
 shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
+
+
+# A source coming from a CLI argparse module
+# see argparse: https://docs.python.org/3/library/argparse.html
+import argparse
+
+parser = argparse.ArgumentParser(description='Process some integers.')
+parser.add_argument('integers', metavar='N', type=int, nargs='+',
+                    help='an integer for the accumulator')
+parser.add_argument('filename', help='filename to be provided')
+
+args = parser.parse_args()
+compressed_file = args.filename
+shutil.unpack_archive(compressed_file, base_dir) # $result=BAD