Fix imprecise patterns in isSubprocessTarExtraction predicate

Use regexpMatch instead of matches to avoid false positives:
- Command name: regexpMatch(\"(.*/)?tar\") to match only \"tar\" or paths ending in \"/tar\"
- Extraction flag: regexpMatch(\"-[a-zA-Z]*x[a-zA-Z]*\") to match only single-dash flags containing x

Agent-Logs-Url: https://github.com/github/codeql/sessions/f31a3622-9b18-415f-85f1-62ec14a8319f

Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>

Author: Copilot

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll

@@ -169,12 +169,13 @@ module TarSlip {
             .getMember(["run", "call", "check_call", "check_output", "Popen"])
             .getACall() and
       cmdList = call.getArg(0).asCfgNode() and
-      // Command must be "tar" (possibly with a full path like "/usr/bin/tar")
-      cmdList.getElement(0).getNode().(StringLiteral).getText().matches("%tar") and
-      // At least one extraction-related flag must be present
+      // Command must be "tar" or a full path ending in "/tar" (e.g. "/usr/bin/tar")
+      cmdList.getElement(0).getNode().(StringLiteral).getText().regexpMatch("(.*/)?tar") and
+      // At least one extraction-related flag must be present:
+      // single-dash flags containing 'x' (like -x, -xf, -xvf) or the long option --extract
       exists(string flag |
         flag = cmdList.getElement(_).getNode().(StringLiteral).getText() and
-        (flag.matches("%-x%") or flag = "--extract")
+        (flag.regexpMatch("-[a-zA-Z]*x[a-zA-Z]*") or flag = "--extract")
       ) and
       // At least one non-literal argument (the archive filename)
       exists(int i |