sdk/python/File System/PyShutil

PyShutil

The shutil module for high-level file operations. unpack_archive automatically extracts tar / zip / gztar / bztar / xztar archives — same zip-slip risks as tarfile.extractall. copytree can also be used for path-traversal.

4 sinks

Taint flow0 sources → 4 sinks

Sinks — dangerous call

.unpack_archive()Unpacks an archive

.copyfile()Copies a file

.copytree()Recursively copies a directory

.rmtree()Recursively deletes a directory tree

Sinks

— dangerous functions taint must not reach

.unpack_archive()Sink

Signature

shutil.unpack_archive(filename, extract_dir=None, format=None) -> None

Unpacks an archive. Zip-slip sink on untrusted archives — uses tarfile / zipfile under the hood.

.copyfile()Sink

Signature

shutil.copyfile(src, dst, *, follow_symlinks=True) -> str

Copies a file. Path-traversal sink when src / dst is user-controlled.

tracks:0, 1

.copytree()Sink

Signature

shutil.copytree(src, dst, symlinks=False, ...) -> str

Recursively copies a directory. Path-traversal sink on untrusted paths.

tracks:0, 1

.rmtree()Sink

Signature

shutil.rmtree(path, ignore_errors=False, onerror=None) -> None

Recursively deletes a directory tree. Finding on user-controlled path (arbitrary-file-delete).

tracks:0

Other Methods

.which()Neutral

Signature

shutil.which(cmd, mode=os.F_OK | os.X_OK, path=None) -> str | None

Locates an executable on PATH. Neutral.

Fully-Qualified Names

FQN	Field
shutil	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyShutil

← PreviousPyRegex

Next →PyTempfile