sdk/python/HTTP Clients/PyHttpServer

PyHttpServer

The http.server module. SimpleHTTPRequestHandler serves files from the current working directory — path-traversal sink on directory containing secrets. Intended for development only, finding on any production use.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.HTTPServer()HTTP server

.SimpleHTTPRequestHandler()Serves files from CWD

Sinks

— dangerous functions taint must not reach

.HTTPServer()Sink

Signature

http.server.HTTPServer(server_address, RequestHandlerClass, bind_and_activate=True) -> HTTPServer

HTTP server. Finding when bound to 0.0.0.0 without access control.

.SimpleHTTPRequestHandler()Sink

Signature

http.server.SimpleHTTPRequestHandler(*args, **kwargs) -> SimpleHTTPRequestHandler

Serves files from CWD. Path-traversal sink for sensitive directories.

Fully-Qualified Names

FQN	Field
http.server	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyHttpServer

← PreviousPyHttpCookies

Next →PyHttplib2