sdk/python/HTTP Clients/PyEmail

PyEmail

The email package. email.message.EmailMessage assembly with user-controlled Subject, To, From, or body is an email-header-injection sink (CRLF in header values can inject extra headers). email.parser handles incoming messages — sources of user content.

2 sources

Taint flow2 sources → 0 sinks

Sources — untrusted input

.message_from_string()Parses a message from a string

.message_from_bytes()Parses a message from bytes

Sources

— user-controlled input enters here

.message_from_string()Source

Signature

email.message_from_string(s, _class=EmailMessage, *, policy=compat32) -> EmailMessage

Parses a message from a string. Source for incoming email content.

tracks:return

.message_from_bytes()Source

Signature

email.message_from_bytes(s, _class=EmailMessage, *, policy=compat32) -> EmailMessage

Parses a message from bytes. Source.

tracks:return

Other Methods

.EmailMessage()Neutral

Signature

email.message.EmailMessage(policy=default) -> EmailMessage

Creates a message. Setting headers from user input is a CRLF-injection sink.

Fully-Qualified Names

FQN	Field
email	fqns[0]
email.message	fqns[1]
email.parser	fqns[2]
email.mime	fqns[3]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyEmail

← PreviousPyBoto3

Next →PyFtplib