sdk/python/HTTP Clients/PyUrllib
HTTP Clients

PyUrllib

urllib.request (stdlib) is the lowest-level HTTP client in Python. urlopen() accepts both a URL string and a Request object — SSRF sink when the URL is user-controlled. Unlike requests, urlopen defaults to no TLS verification on some platforms.

2 sinks
Taint flow0 sources 2 sinks
Sinks — dangerous call
.urlopen()
.Request()

Sinks

.urlopen()Sink
#
Signature
urllib.request.urlopen(url, data=None, timeout=None, ...) -> HTTPResponse

Opens an HTTP(S) URL. SSRF sink when url is user-controlled.

tracks:0
.Request()Sink
#
Signature
urllib.request.Request(url: str, data=None, headers={}, ...) -> Request

Builds an HTTP request object. SSRF sink when url is user-controlled (passed later to urlopen).

tracks:0

Fully-Qualified Names

FQNField
urllib.requestfqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyUrllib
Next →PyUrllibParse