Python SDK Reference

Celery is a distributed task queue. Celery(broker=..., backend=...) configures brokers — findings when broker URL has insecure defaults (redis:// without TLS, amqp:// without TLS). @task decorators accept arbitrary user-controlled args via the queue.

The cgi module (deprecated in 3.11, removed in 3.13). cgi.FieldStorage collects form data for CGI scripts — each field value is a source. Any new code should not use cgi.

Python stdlib module — cgitb. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — channels. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

cffi calls C libraries without writing a C extension. FFI.dlopen() loads a shared library at runtime — code-execution sink on user-controlled path. FFI.cdef parses C declarations — neutral unless the definitions are user-controlled.

The ctypes module for calling C libraries. LoadLibrary / CDLL on user-controlled paths loads arbitrary code — code-execution sink. String pointer operations can also be memory-safety findings.

The docker SDK. DockerClient.containers.run with privileged=True is a container-escape finding. volumes mounting /var/run/docker.sock into the container grants full Docker daemon access.

Python stdlib module — fcntl. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — hdbcli. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — ibm_db. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

ldap3 is a pure-Python LDAP client. Connection.search() accepts a search_filter — LDAP injection sink when the filter is built from user input without escaping. Use ldap3.utils.conv.escape_filter_chars() for safe construction.

MySQLdb (mysqlclient) is a C-extension MySQL driver. Cursor.execute() is an SQL injection sink when the query is built without %s placeholders.

The ast module exposes Python's abstract syntax tree. ast.literal_eval is a safe evaluator for literals only. The builtins eval() and exec() execute arbitrary Python code — RCE sinks on user input. compile() produces code objects that reach exec().

The csv module. csv.writer + writerow on user-controlled cells produces CSV-formula injection when the receiver opens the CSV in Excel (cells starting with =, +, -, @ are interpreted as formulas). No stdlib sanitizer — prefix with a tab or apostrophe.

The dbm family (dbm.gnu, dbm.ndbm, dbm.dumb). dbm.open() on untrusted files reads a DBM-format database. dbm.dumb is pickle-like and unsafe on untrusted input.

defusedxml is the hardened XML parser suite. It wraps xml.etree, xml.sax, xml.dom, lxml etc. with external-entity resolution disabled. Using defusedxml counterparts is the recommended sanitizer for XML sources.

aiohttp provides async HTTP client and server. ClientSession.get / post and the top-level request() are SSRF sinks on user-controlled URLs. aiohttp.web request handlers expose sources via request.query, request.post, request.json.

Third-party Python package module — aws_xray_sdk. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

boto3 is the AWS SDK for Python. client('s3').get_object(...) and similar operations commonly ingest user input into bucket / key names — SSRF-like vectors through S3 URLs and IAM misconfiguration. Covering for rule writers that check AWS-specific patterns.

The email package. email.message.EmailMessage assembly with user-controlled Subject, To, From, or body is an email-header-injection sink (CRLF in header values can inject extra headers). email.parser handles incoming messages — sources of user content.

aiofiles provides async file I/O. aiofiles.open() is a path-traversal sink when the path is user-controlled (same as built-in open).

The configparser module reads INI-style config files. Values read via get() are sources when the config file is user-supplied. The module itself has no injection sinks of its own.

dockerfile_parse parses Dockerfiles. Returned structures reflect user-controlled file content. Usually a source for linting rules, not a sink.

Python stdlib module — fileinput. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — bz2. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — gzip. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — lzma. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The tarfile module. extractall() and extract() follow archive entry paths as-is — path-traversal sink (zip slip) when the archive is user-supplied and extractall's filter= argument is not set to a safe filter. Python 3.12 changed the default to 'data'.

Third-party Python package module — auth0. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Authlib is a comprehensive OAuth / OpenID / JWT library. JsonWebToken.decode() and the OAuth client Client.parse_request_body_response track access-token flows.

The crypt module (deprecated in 3.11, removed in 3.13). crypt.crypt() wraps the Unix crypt(3) call. Most default methods are weak (DES, MD5). Use passlib or hashlib.scrypt / pbkdf2_hmac instead.

The cryptography package provides recipes (Fernet) and primitives (hazmat). Fernet is the recommended symmetric encryption helper. Findings arise when hazmat primitives are used with obsolete algorithms (MD5, DES, RC4) or ECB mode.

bleach is an HTML sanitizer library. bleach.clean() strips dangerous tags and attributes — sanitizer for XSS flows. bleach.linkify() is also safe.

Third-party Python package module — chevron. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — docutils. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — fpdf. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — abc. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — array. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — atexit. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — bisect. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — asynchat. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — asyncio. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — asyncore. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — concurrent. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — calendar. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — convertdate. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — croniter. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — dateparser_data. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — aifc. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — audioop. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — base64. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — binaryornot. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — argparse. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — capturer. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — click. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — cmd. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — curses. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — jack. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — pyaudio. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — pyi_splash. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — assertpy. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — atheris. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — behave. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — doctest. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — bdb. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — cProfile. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — distutils. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — ensurepip. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — et_xmlfile. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — geopandas. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — hnswlib. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — networkx. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — antigravity. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — antlr4. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — braintree. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — click_default_group. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.