sdk/python/HTTP Clients/PyRequests

PyRequests

requests is the most popular HTTP client for Python. All top-level methods and Session methods accept a URL as the first argument — SSRF sink when the URL is user-controlled. verify=False disables TLS verification (separate rule).

5 sinks

Taint flow0 sources → 5 sinks

Sinks — dangerous call

.get()Sends a GET request

.post()Sends a POST request

.put()Sends a PUT request

.delete()Sends a DELETE request

.request()Sends a request with arbitrary method

Sinks

— dangerous functions taint must not reach

.get()Sink

Signature

requests.get(url: str, params=None, **kwargs) -> Response

Sends a GET request. SSRF sink when url is user-controlled.

tracks:0

.post()Sink

Signature

requests.post(url: str, data=None, json=None, **kwargs) -> Response

Sends a POST request. SSRF sink when url is user-controlled.

tracks:0

.put()Sink

Signature

requests.put(url: str, data=None, **kwargs) -> Response

Sends a PUT request. SSRF sink.

tracks:0

.delete()Sink

Signature

requests.delete(url: str, **kwargs) -> Response

Sends a DELETE request. SSRF sink.

tracks:0

.request()Sink

Signature

requests.request(method: str, url: str, **kwargs) -> Response

Sends a request with arbitrary method. SSRF sink on url.

tracks:1

Fully-Qualified Names

FQN	Field
requests	fqns[0]
requests.Session	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyRequests

← PreviousPyPysocks

Next →PySlumber