sdk/python/Web Frameworks/PyStarlette

PyStarlette

Starlette is the ASGI toolkit behind FastAPI. Request exposes HTTP input; the responses module provides HTMLResponse / RedirectResponse / FileResponse (sinks for XSS, open-redirect, path-traversal respectively).

3 sources3 sinks

Taint flow3 sources → 3 sinks

Sources — untrusted input

.Request.query_params()URL query parameters

.Request.path_params()Path parameters

.Request.form()Form body

→

taint

Sinks — dangerous call

.HTMLResponse()Raw HTML response

.RedirectResponse()Redirect response

.FileResponse()Serves a file

Sources

— user-controlled input enters here

.Request.query_params()Source

Signature

request.query_params: QueryParams

URL query parameters.

tracks:return

.Request.path_params()Source

Signature

request.path_params: dict

Path parameters.

tracks:return

.Request.form()Source

Signature

async request.form() -> FormData

Form body.

tracks:return

Sinks

— dangerous functions taint must not reach

.HTMLResponse()Sink

Signature

HTMLResponse(content, status_code=200, headers=None, media_type=None, ...) -> Response

Raw HTML response. XSS sink on tainted content.

tracks:0

.RedirectResponse()Sink

Signature

RedirectResponse(url, status_code=307, ...) -> Response

Redirect response. Open-redirect sink.

tracks:0

.FileResponse()Sink

Signature

FileResponse(path, status_code=200, headers=None, media_type=None, filename=None, ...) -> Response

Serves a file. Path-traversal sink on user-controlled path.

tracks:0

Fully-Qualified Names

FQN	Field
starlette	fqns[0]
starlette.requests	fqns[1]
starlette.responses	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyStarlette

← PreviousPySimpleWebsocket

Next →PyUwsgi