Restrain the source and add two steps.

Sim4n6 · Sim4n6 · commit 1a211485a47c · 2023-01-26T17:07:59.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll
@@ -50,17 +50,9 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
       )
     )
     or
-    // catch the uploaded files as a source
-    exists(Subscript s, Attribute at |
-      at = s.getObject() and at.getAttr() = "FILES" and source.asExpr() = s
-    )
-    or
-    // Retrieve Django uploaded files
+    // catch the Django uploaded files as a source
     // see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
-    exists(Node obj, AttrRead ar |
-      ar.getAMethodCall(["getlist", "get"]).flowsTo(source) and
-      ar.accesses(obj, "FILES")
-    )
+    source.(AttrRead).getAttributeName() = "FILES"
   }
 
   override predicate isSink(DataFlow::Node sink) {
@@ -107,6 +99,12 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
       nodeFrom = cn.getArg(0)
     )
     or
+    // Retrieve Django uploaded files
+    // see HttpRequest.FILES.getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
+    exists(MethodCallNode mc |
+      nodeFrom = mc.getObject() and mc.getMethodName() = ["getlist", "get"] and nodeTo = mc
+    )
+    or
     // Accessing the name or raw content
     exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
     or
