sdk/python/Web Frameworks/PyFlaskCors
Web Frameworks

PyFlaskCors

flask-cors configures CORS headers on Flask apps. CORS(app, origins='*') with supports_credentials=True is a major finding (wildcard origin with credentials is explicitly forbidden by browsers but some configurations still emit it).

2 sinks
Taint flow0 sources 2 sinks
Sinks — dangerous call
.CORS()
.cross_origin()

Sinks

.CORS()Sink
#
Signature
CORS(app=None, *, resources=..., origins=None, supports_credentials=False, ...) -> CORS

Installs CORS headers. Finding when origins='*' and supports_credentials=True.

.cross_origin()Sink
#
Signature
cross_origin(origins=None, methods=None, supports_credentials=False, ...) -> Callable

Per-view CORS decorator. Same credential wildcard finding applies.

Fully-Qualified Names

FQNField
flask_corsfqns[0]
flask_cors.CORSfqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyFlaskCors
Next →PyFlaskMigrate