Python: Update hasUnsafeFilter to use API graph

This will probably break the tests in the short run. I'll fix the remaining issues in a follow-up commit.

Co-authored-by: Rasmus Wriedt Larsen <[email protected]>

Author: tausbn

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll

@@ -74,19 +74,24 @@ module TarSlip {
    * Holds if `call` has an unsafe extraction filter, either by default (as the default is unsafe),
    * or by being set to an explicitly unsafe value, such as `"fully_trusted"`, or `None`.
    */
-  private predicate hasUnsafeFilter(DataFlow::CallCfgNode call) {
+  private predicate hasUnsafeFilter(API::CallNode call) {
     call =
       API::moduleImport("tarfile")
           .getMember("open")
           .getReturn()
           .getMember(["extract", "extractall"])
           .getACall() and
     (
-      call.getArg(4) = unsafeFilter()
-      or
-      call.getArgByName("filter") = unsafeFilter()
+      exists(Expr filterValue |
+        filterValue = call.getParameter(4, "filter").getAValueReachingSink().asExpr() and
+        (
+          filterValue.(StrConst).getText() = "fully_trusted"
+          or
+          filterValue instanceof None
+        )
+      )
       or
-      not exists(call.getArg(4)) and not exists(call.getArgByName("filter"))
+      not exists(call.getParameter(4, "filter"))
     )
   }