sdk/python/HTTP Clients/PyHttpx
HTTP Clients

PyHttpx

httpx is a modern async-capable HTTP client. Identical SSRF surface to requests — the URL argument on get/post/etc is a sink when user-controlled. verify=False disables TLS verification (separate rule).

5 sinks
Taint flow0 sources 5 sinks
Sinks — dangerous call
.get()
.post()
.put()
.delete()
.stream()

Sinks

.get()Sink
#
Signature
httpx.get(url, *, params=None, headers=None, ...) -> Response

Sends a GET request. SSRF sink on url.

tracks:0
.post()Sink
#
Signature
httpx.post(url, *, content=None, data=None, json=None, ...) -> Response

Sends a POST request. SSRF sink on url.

tracks:0
.put()Sink
#
Signature
httpx.put(url, *, content=None, data=None, ...) -> Response

Sends a PUT request. SSRF sink.

tracks:0
.delete()Sink
#
Signature
httpx.delete(url, ...) -> Response

Sends a DELETE request. SSRF sink.

tracks:0
.stream()Sink
#
Signature
httpx.stream(method, url, ...) -> ContextManager[Response]

Streams a response. SSRF sink on url.

tracks:1

Fully-Qualified Names

FQNField
httpxfqns[0]
httpx.Clientfqns[1]
httpx.AsyncClientfqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyHttpx
Next →PyImaplib