sdk/python/Web Frameworks/PyWerkzeug

PyWerkzeug

Werkzeug is the WSGI toolkit Flask is built on. safe_join() is the canonical path-traversal sanitizer for serving files. utils.redirect is where Flask's open-redirect surface originates.

2 sinks1 sanitizer

Taint flow0 sources → 1 sanitizer → 2 sinks

Sanitizers — blocks taint

.safe_join()

Sinks — dangerous call

.redirect()Returns a redirect response

.send_file()Serves a file

Sinks

— dangerous functions taint must not reach

.redirect()Sink

Signature

werkzeug.utils.redirect(location: str, code: int = 302, Response=None) -> Response

Returns a redirect response. Open-redirect sink on user-controlled location.

tracks:0

.send_file()Sink

Signature

werkzeug.utils.send_file(path_or_file, environ, mimetype=None, ...) -> Response

Serves a file. Path-traversal sink on user-controlled path.

tracks:0

Sanitizers

— functions that neutralize taint

.safe_join()Sanitizer

Signature

werkzeug.utils.safe_join(directory: str, *pathnames) -> str | None

Safely joins a base directory with user-supplied components. Path-traversal sanitizer.

tracks:return

Fully-Qualified Names

FQN	Field
werkzeug	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyWerkzeug

← PreviousPyWaitress

Next →PyWsgiref