The rule currently misses standard library functions and patterns that perform archive extraction, such as shutil.unpack_archive and system tar commands invoked via subprocess.
https://github.com/positive666/yolo_research/blob/f5795f27a56ca4dbe4c182e12f61309a52e23967/utils/downloads.py#L173
https://github.com/JohnClema/xffl/blob/a920300239a82a85a87d0bf25735762844ee8e9d/aggregator/aggregation.py#L9
Here is a minimal, simplified code example to reproduce:
import tarfile, sys, shutil, zipfile, subprocess
unsafe_filename = sys.argv[1]
tar = tarfile.open(unsafe_filename)
tar.extractall() # detected
# 1. shutil
shutil.unpack_archive(unsafe_filename, "out") # not detected
# 2. subprocess
subprocess.run(["tar", "-xf", unsafe_filename]) # not detected
The rule currently misses standard library functions and patterns that perform archive extraction, such as
shutil.unpack_archiveand systemtarcommands invoked viasubprocess.https://github.com/positive666/yolo_research/blob/f5795f27a56ca4dbe4c182e12f61309a52e23967/utils/downloads.py#L173
https://github.com/JohnClema/xffl/blob/a920300239a82a85a87d0bf25735762844ee8e9d/aggregator/aggregation.py#L9
Here is a minimal, simplified code example to reproduce: