sdk/python/Cryptography/PyParamiko

PyParamiko

paramiko is the SSH / SFTP client for Python. SSHClient.set_missing_host_key_policy with AutoAddPolicy() silently trusts unknown hosts — MITM risk. exec_command() is a command-execution sink when the command is user-controlled.

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.set_missing_host_key_policy()Sets host-key policy

.connect()Connects to an SSH server

.exec_command()Runs a command on the remote host

Sinks

— dangerous functions taint must not reach

.set_missing_host_key_policy()Sink

Signature

SSHClient.set_missing_host_key_policy(policy: MissingHostKeyPolicy)

Sets host-key policy. Finding when policy is AutoAddPolicy() or WarningPolicy() (MITM).

tracks:0

.connect()Sink

Signature

SSHClient.connect(hostname, port=22, username=None, password=None, ...) -> None

Connects to an SSH server. SSRF-like sink when hostname is user-controlled.

tracks:0

.exec_command()Sink

Signature

SSHClient.exec_command(command: str, bufsize=-1, ...) -> (stdin, stdout, stderr)

Runs a command on the remote host. Command-injection sink on user-controlled command.

tracks:0

Other Methods

.SSHClient()Neutral

Signature

paramiko.SSHClient() -> SSHClient

Creates an SSH client.

Fully-Qualified Names

FQN	Field
paramiko	fqns[0]
paramiko.SSHClient	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyParamiko

← PreviousPyOauthlib

Next →PyPasspy