Deserialization

PyToml

toml parses TOML configuration. toml.load() is a neutral data loader — values become sources when the config file is user-supplied. tomllib (stdlib, 3.11+) is the modern replacement.

2 sources
Taint flow2 sources 0 sinks
Sources — untrusted input
.load()
.loads()

Sources

.load()Source
#
Signature
toml.load(f) -> dict

Parses TOML from a file. Source when file is user-controlled.

tracks:return
.loads()Source
#
Signature
toml.loads(s: str) -> dict

Parses TOML from a string. Source.

tracks:return

Fully-Qualified Names

FQNField
tomlfqns[0]
tomllibfqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyToml