File System

aiofiles provides async file I/O. aiofiles.open() is a path-traversal sink when the path is user-controlled (same as built-in open).

The configparser module reads INI-style config files. Values read via get() are sources when the config file is user-supplied. The module itself has no injection sinks of its own.

dockerfile_parse parses Dockerfiles. Returned structures reflect user-controlled file content. Usually a source for linting rules, not a sink.

Python stdlib module — fileinput. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — fnmatch. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The glob module. glob.glob() resolves shell-style patterns against the filesystem — finding when the pattern is user-controlled (can enumerate directories outside intended scope).

The logging module. Most uses are neutral. Log-injection findings arise when user-controlled data is logged without sanitization — attackers can break log line boundaries with \n or forge subsequent log entries.

Python stdlib module — mimetypes. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The os.path module for path manipulation. join() concatenates path components but does not resolve traversal sequences — path-traversal bug when joining a trusted base with a user-controlled path. Use os.path.commonpath + realpath containment checks to sanitize.

The pathlib module is the modern OO path API. Path.resolve() expands symlinks (sanitizer when combined with containment check). Path.open / read_text / write_text are file I/O sinks when the path is user-controlled.

The re module. Catastrophic backtracking in regex patterns (ReDoS) — finding when a user-controlled pattern flows into re.compile / re.search / re.match. Also, re.findall on untrusted HTML is a common anti-pattern that misses cases.

Third-party Python package module — regex. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The shutil module for high-level file operations. unpack_archive automatically extracts tar / zip / gztar / bztar / xztar archives — same zip-slip risks as tarfile.extractall. copytree can also be used for path-traversal.

The tempfile module. mktemp() is deprecated and insecure (race condition between filename generation and open). Use NamedTemporaryFile, mkstemp, or TemporaryDirectory which atomically create the file.