sdk/python/HTTP Clients/PyAiohttp

PyAiohttp

aiohttp provides async HTTP client and server. ClientSession.get / post and the top-level request() are SSRF sinks on user-controlled URLs. aiohttp.web request handlers expose sources via request.query, request.post, request.json.

3 sources3 sinks

Taint flow3 sources → 3 sinks

Sources — untrusted input

.Request.query()URL query parameters on aiohttp

.Request.post()Form body

.Request.json()Parsed JSON body

→

taint

Sinks — dangerous call

.ClientSession.get()Async GET

.ClientSession.post()Async POST

.request()Top-level async request helper

Sources

— user-controlled input enters here

.Request.query()Source

Signature

request.query: MultiDict[str, str]

URL query parameters on aiohttp.web handlers. User-controlled.

tracks:return

.Request.post()Source

Signature

async request.post() -> MultiDict[str, str]

Form body. User-controlled.

tracks:return

.Request.json()Source

Signature

async request.json(*, loads=json.loads) -> Any

Parsed JSON body. User-controlled.

tracks:return

Sinks

— dangerous functions taint must not reach

.ClientSession.get()Sink

Signature

async ClientSession.get(url, *, allow_redirects=True, ...) -> ClientResponse

Async GET. SSRF sink on url.

tracks:0

.ClientSession.post()Sink

Signature

async ClientSession.post(url, *, data=None, json=None, ...) -> ClientResponse

Async POST. SSRF sink.

tracks:0

.request()Sink

Signature

async aiohttp.request(method, url, **kwargs) -> ClientResponse

Top-level async request helper. SSRF sink on url.

tracks:1

Fully-Qualified Names

FQN	Field
aiohttp	fqns[0]
aiohttp.ClientSession	fqns[1]
aiohttp.web	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyAiohttp

Next →PyAwsXraySdk