Put back the annotation result=BAD

Sim4n6 · Sim4n6 · commit 518684b73685 · 2023-02-12T21:26:12.000+01:00
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.py b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.py
@@ -16,7 +16,7 @@ def download_from_url():
             with open(tarpath, "wb") as f:
                   f.write(response.raw.read())
             untarredpath = "/tmp/tmp123"
-            shutil.unpack_archive(tarpath, untarredpath) 
+            shutil.unpack_archive(tarpath, untarredpath)  # $result=BAD
         
 
 # A source catching an S3 filename download
@@ -31,7 +31,7 @@ def download_from_url():
 
 s3 = boto3.client('s3')
 s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
-shutil.unpack_archive(local_ziped_path, base_dir) 
+shutil.unpack_archive(local_ziped_path, base_dir)  # $result=BAD
 
 
 # wget
@@ -45,11 +45,11 @@ def download_from_url():
 
 # download(url, out, bar) contains out parameter
 wget.download(url, compressed_file)
-shutil.unpack_archive(compressed_file, base_dir) 
+shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
 
 # download(url) returns filename
 compressed_file = wget.download(url)
-shutil.unpack_archive(compressed_file, base_dir) 
+shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
 
 
 # A source coming from a CLI argparse module
@@ -63,7 +63,7 @@ def download_from_url():
 
 args = parser.parse_args()
 compressed_file = args.filename
-shutil.unpack_archive(compressed_file, base_dir) 
+shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
 
 
 # A source coming from a CLI and downloaded
@@ -84,7 +84,7 @@ def download_from_url():
 with open(tarpath, "wb") as f:
       f.write(response.raw.read())
       
-shutil.unpack_archive(tarpath, base_dir) 
+shutil.unpack_archive(tarpath, base_dir) # $result=BAD
 
 # the django upload functionality
 # see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
@@ -102,22 +102,22 @@ def simple_upload(request):
             with open(savepath, 'wb+') as wfile:
                   for chunk in request.FILES["ufile1"].chunks():
                         wfile.write(chunk)
-            shutil.unpack_archive(savepath, base_dir) 
+            shutil.unpack_archive(savepath, base_dir) # $result=BAD
 
             # Write in binary the uploaded tarball
             myfile = request.FILES.get("ufile1")
             file_path = os.path.join(base_dir, "tarball.tar")
             with file_path.open('wb') as f:
                   f.write(myfile.read())
-            shutil.unpack_archive(file_path, base_dir) 
+            shutil.unpack_archive(file_path, base_dir) # $result=BAD
 
             # Save uploaded files using FileSystemStorage Django API
             # see FileSystemStorage: https://docs.djangoproject.com/en/4.1/ref/files/storage/#django.core.files.storage.FileSystemStorage
             for ufile in  request.FILES.getlist():
                   fs = FileSystemStorage()
                   filename = fs.save(ufile.name, ufile)
                   uploaded_file_path = fs.path(filename)
-                  shutil.unpack_archive(uploaded_file_path, base_dir) 
+                  shutil.unpack_archive(uploaded_file_path, base_dir) # $result=BAD
             
             return render(request, 'simple_upload.html')
 
@@ -139,7 +139,7 @@ def simple_upload(request):
 args = parser.parse_args()
 unsafe_filename_tar = args.filename
 with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
-    tar.extractall(path="/tmp/unpack/", members=tar) 
+    tar.extractall(path="/tmp/unpack/", members=tar) # $result=BAD
 tar = tarfile.open(unsafe_filename_tar)   
 
 
@@ -164,7 +164,7 @@ def simple_upload(request):
                       if member.issym():  
                           raise ValueError("But it is a symlink")       
                       result.append(member)     
-                  tar.extractall(path=tempfile.mkdtemp(), members=result)    
+                  tar.extractall(path=tempfile.mkdtemp(), members=result) # $result=BAD   
                   tar.close()
 
 
@@ -173,7 +173,7 @@ def simple_upload(request):
 with open(tarpath, "wb") as f:
       f.write(response.raw.read())
 target_dir = "/tmp/unpack"
-tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) 
+tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) # $result=BAD
 
 
 from pathlib import Path
@@ -198,4 +198,4 @@ def default_session() -> boto3.Session:
           target = cache_dir
       else:
           target = Path(tempfile.mkdtemp())
-      shutil.unpack_archive(tmp.name, target) 
+      shutil.unpack_archive(tmp.name, target) # $result=BAD
