sdk/python/HTTP Clients/PyPycurl

PyPycurl

pycurl wraps libcurl. curl.setopt(pycurl.URL, ...) is an SSRF sink on user-controlled URLs. setopt(pycurl.SSL_VERIFYPEER, 0) disables TLS verification.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.setopt()Sets a cURL option

.perform()Sends the request

Sinks

— dangerous functions taint must not reach

.setopt()Sink

Signature

Curl.setopt(option, value) -> None

Sets a cURL option. SSRF sink when option=pycurl.URL and value is user-controlled.

tracks:1

.perform()Sink

Signature

Curl.perform() -> None

Sends the request. Sink in combination with setopt.

Other Methods

.Curl()Neutral

Signature

pycurl.Curl() -> Curl

Creates a cURL handle.

Fully-Qualified Names

FQN	Field
pycurl	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyPycurl

← PreviousPyPoplib

Next →PyPysocks