Skip to content

py/tarslip: detect shutil.unpack_archive and subprocess tar extraction #21720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
+59 −0
Draft

py/tarslip: detect shutil.unpack_archive and subprocess tar extraction #21720

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c1ecca3
Initial plan
Copilot Apr 16, 2026
88b36c4
Add shutil.unpack_archive and subprocess tar extraction as TarSlip so…
Copilot Apr 16, 2026
8efaa5d
Fix imprecise patterns in isSubprocessTarExtraction predicate
Copilot Apr 16, 2026
6d03548
Improve clarity of subprocess tar extraction detection patterns
Copilot Apr 16, 2026
5084883
Address reviewer feedback: fix sink modeling for shutil and subprocess
Copilot Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix imprecise patterns in isSubprocessTarExtraction predicate 
Use regexpMatch instead of matches to avoid false positives:
- Command name: regexpMatch(\"(.*/)?tar\") to match only \"tar\" or paths ending in \"/tar\"
- Extraction flag: regexpMatch(\"-[a-zA-Z]*x[a-zA-Z]*\") to match only single-dash flags containing x

Agent-Logs-Url: https://github.com/github/codeql/sessions/f31a3622-9b18-415f-85f1-62ec14a8319f

Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>
  • Loading branch information
@hvitved
Copilot and hvitved authored Apr 16, 2026
commit 8efaa5daf154e9d50269f2eddd0d70d226601e7c
9 changes: 5 additions & 4 deletions python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,12 +169,13 @@ module TarSlip {
.getMember(["run", "call", "check_call", "check_output", "Popen"])
.getACall() and
cmdList = call.getArg(0).asCfgNode() and
// Command must be "tar" (possibly with a full path like "/usr/bin/tar")
cmdList.getElement(0).getNode().(StringLiteral).getText().matches("%tar") and
// At least one extraction-related flag must be present
// Command must be "tar" or a full path ending in "/tar" (e.g. "/usr/bin/tar")
cmdList.getElement(0).getNode().(StringLiteral).getText().regexpMatch("(.*/)?tar") and
// At least one extraction-related flag must be present:
// single-dash flags containing 'x' (like -x, -xf, -xvf) or the long option --extract
exists(string flag |
flag = cmdList.getElement(_).getNode().(StringLiteral).getText() and
(flag.matches("%-x%") or flag = "--extract")
(flag.regexpMatch("-[a-zA-Z]*x[a-zA-Z]*") or flag = "--extract")
) and
// At least one non-literal argument (the archive filename)
exists(int i |
Expand Down