From 8efaa5daf154e9d50269f2eddd0d70d226601e7c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 08:38:54 +0000 Subject: [PATCH] Fix imprecise patterns in isSubprocessTarExtraction predicate Use regexpMatch instead of matches to avoid false positives: - Command name: regexpMatch(\"(.*/)?tar\") to match only \"tar\" or paths ending in \"/tar\" - Extraction flag: regexpMatch(\"-[a-zA-Z]*x[a-zA-Z]*\") to match only single-dash flags containing x Agent-Logs-Url: https://github.com/github/codeql/sessions/f31a3622-9b18-415f-85f1-62ec14a8319f Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com> --- .../python/security/dataflow/TarSlipCustomizations.qll | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll index 4a0068990dc..29c801a7439 100644 --- a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll @@ -169,12 +169,13 @@ module TarSlip { .getMember(["run", "call", "check_call", "check_output", "Popen"]) .getACall() and cmdList = call.getArg(0).asCfgNode() and - // Command must be "tar" (possibly with a full path like "/usr/bin/tar") - cmdList.getElement(0).getNode().(StringLiteral).getText().matches("%tar") and - // At least one extraction-related flag must be present + // Command must be "tar" or a full path ending in "/tar" (e.g. "/usr/bin/tar") + cmdList.getElement(0).getNode().(StringLiteral).getText().regexpMatch("(.*/)?tar") and + // At least one extraction-related flag must be present: + // single-dash flags containing 'x' (like -x, -xf, -xvf) or the long option --extract exists(string flag | flag = cmdList.getElement(_).getNode().(StringLiteral).getText() and - (flag.matches("%-x%") or flag = "--extract") + (flag.regexpMatch("-[a-zA-Z]*x[a-zA-Z]*") or flag = "--extract") ) and // At least one non-literal argument (the archive filename) exists(int i |