python: fix bug, add clarifying comment

yoff · yoff · commit 5fe62e293acb · 2023-01-09T17:45:50.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
@@ -107,10 +107,13 @@ class Configuration extends TaintTracking::Configuration {
       nodeTo = call
     )
     or
+    // To handle the case of `with closing(tarfile.open()) as file:`
+    // we add a step from the first argument of `closing` to the call to `closing`,
+    // whenever that first argument is a return of `tarfile.open()`.
     exists(API::CallNode closing |
       closing = API::moduleImport("contextlib").getMember("closing").getACall() and
       nodeFrom = closing.getArg(0) and
-      nodeFrom = tarfileOpen().getReturn().getAValueReachingSink() and
+      nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource() and
       nodeTo = closing
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -107,10 +107,13 @@ class Configuration extends TaintTracking::Configuration {`
`107`	`107`	`nodeTo = call`
`108`	`108`	`)`
`109`	`109`	`or`
	`110`	+ // To handle the case of `with closing(tarfile.open()) as file:`
	`111`	+ // we add a step from the first argument of `closing` to the call to `closing`,
	`112`	+ // whenever that first argument is a return of `tarfile.open()`.
`110`	`113`	`exists(API::CallNode closing \|`
`111`	`114`	`closing = API::moduleImport("contextlib").getMember("closing").getACall() and`
`112`	`115`	`nodeFrom = closing.getArg(0) and`
`113`		`- nodeFrom = tarfileOpen().getReturn().getAValueReachingSink() and`
	`116`	`+ nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource() and`
`114`	`117`	`nodeTo = closing`
`115`	`118`	`)`
`116`	`119`	`}`