Add an S3 source with Session or download_fileobj

2026-05-03 20:58:03 +02:00 · 2023-01-30 00:49:23 +01:00
parent 0707064ab5
commit 7079def7ce
1 changed files with 14 additions and 2 deletions
--- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
+++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -29,13 +29,25 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
            .getACall()
    )
    or
-    // A source catching an S3 filename download
+    // A source catching an S3 file download
    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
    source =
      API::moduleImport("boto3")
          .getMember("client")
          .getReturn()
-          .getMember("download_file")
+          .getMember(["download_file", "download_fileobj"])
+          .getACall()
+          .getArg(2)
+    or
+    // A source catching an S3 file download
+    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
+    source =
+      API::moduleImport("boto3")
+          .getMember("Session")
+          .getReturn()
+          .getMember("client")
+          .getReturn()
+          .getMember(["download_file", "download_fileobj"])
          .getACall()
          .getArg(2)
    or