Fix imprecise patterns in isSubprocessTarExtraction predicate

Use regexpMatch instead of matches to avoid false positives: - Command name: regexpMatch(\"(.*/)?tar\") to match only \"tar\" or paths ending in \"/tar\" - Extraction flag: regexpMatch(\"-[a-zA-Z]*x[a-zA-Z]*\") to match only single-dash flags containing x Agent-Logs-Url: https://github.com/github/codeql/sessions/f31a3622-9b18-415f-85f1-62ec14a8319f Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>
2026-05-14 11:19:27 +02:00 · 2026-04-16 08:38:54 +00:00
parent 88b36c44df
commit 8efaa5daf1
1 changed files with 5 additions and 4 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
@@ -169,12 +169,13 @@ module TarSlip {
            .getMember(["run", "call", "check_call", "check_output", "Popen"])
            .getACall() and
      cmdList = call.getArg(0).asCfgNode() and
-      // Command must be "tar" (possibly with a full path like "/usr/bin/tar")
-      cmdList.getElement(0).getNode().(StringLiteral).getText().matches("%tar") and
-      // At least one extraction-related flag must be present
+      // Command must be "tar" or a full path ending in "/tar" (e.g. "/usr/bin/tar")
+      cmdList.getElement(0).getNode().(StringLiteral).getText().regexpMatch("(.*/)?tar") and
+      // At least one extraction-related flag must be present:
+      // single-dash flags containing 'x' (like -x, -xf, -xvf) or the long option --extract
      exists(string flag |
        flag = cmdList.getElement(_).getNode().(StringLiteral).getText() and
-        (flag.matches("%-x%") or flag = "--extract")
+        (flag.regexpMatch("-[a-zA-Z]*x[a-zA-Z]*") or flag = "--extract")
      ) and
      // At least one non-literal argument (the archive filename)
      exists(int i |