sdk/python/Databases/PyRedis

PyRedis

redis-py is the de-facto Redis client for Python. Most commands are typed and safe. The main sinks are eval() and evalsha() which run Lua scripts — injection-sensitive when the script body is user-controlled.

1 source3 sinks

Taint flow1 source → 3 sinks

Sources — untrusted input

.get()Reads a key

→

taint

Sinks — dangerous call

.eval()Executes a Lua script on the server

.evalsha()Executes a cached Lua script by SHA

.execute_command()Sends an arbitrary Redis command

Sources

— user-controlled input enters here

.get()Source

Signature

Redis.get(name: str) -> bytes | None

Reads a key. Source when cached data originated from user input.

tracks:return

Sinks

— dangerous functions taint must not reach

.eval()Sink

Signature

Redis.eval(script: str, numkeys: int, *keys_and_args) -> Any

Executes a Lua script on the server. Injection sink when script is user-controlled.

tracks:0

.evalsha()Sink

Signature

Redis.evalsha(sha: str, numkeys: int, *keys_and_args) -> Any

Executes a cached Lua script by SHA. Tainted sha reaches pre-registered scripts.

tracks:0

.execute_command()Sink

Signature

Redis.execute_command(*args) -> Any

Sends an arbitrary Redis command. Injection sink for command name.

tracks:0

Other Methods

.set()Neutral

Signature

Redis.set(name: str, value, ex=None, ...) -> bool

Sets a key. Typed arguments, generally safe.

Fully-Qualified Names

FQN	Field
redis	fqns[0]
redis.Redis	fqns[1]
redis.StrictRedis	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyRedis

← PreviousPyPymysql

Next →PySqlalchemy