Improve clarity of subprocess tar extraction detection patterns

Replace regexpMatch for command name with explicit equality check:
- cmd = \"tar\" or cmd.matches(\"%/tar\") - clearly matches only exact \"tar\" or paths ending with \"/tar\"
Keep flag check as regexpMatch since it naturally excludes double-dash flags

Agent-Logs-Url: https://github.com/github/codeql/sessions/f31a3622-9b18-415f-85f1-62ec14a8319f

Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>

Author: Copilot

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll

@@ -169,8 +169,11 @@ module TarSlip {
             .getMember(["run", "call", "check_call", "check_output", "Popen"])
             .getACall() and
       cmdList = call.getArg(0).asCfgNode() and
-      // Command must be "tar" or a full path ending in "/tar" (e.g. "/usr/bin/tar")
-      cmdList.getElement(0).getNode().(StringLiteral).getText().regexpMatch("(.*/)?tar") and
+      // Command must be "tar" exactly or a path ending in "/tar" (e.g. "/usr/bin/tar")
+      exists(string cmd |
+        cmd = cmdList.getElement(0).getNode().(StringLiteral).getText() and
+        (cmd = "tar" or cmd.matches("%/tar"))
+      ) and
       // At least one extraction-related flag must be present:
       // single-dash flags containing 'x' (like -x, -xf, -xvf) or the long option --extract
       exists(string flag |