sdk/python/HTTP Clients/PySmtplib

PySmtplib

The smtplib module for SMTP. SMTP() uses plaintext unless starttls() is called. SMTP_SSL is the always-encrypted variant. Rule writers also target email header / recipient construction for header-injection sinks.

2 sinks1 sanitizer

Taint flow0 sources → 1 sanitizer → 2 sinks

Sanitizers — blocks taint

.SMTP_SSL()

Sinks — dangerous call

.SMTP()Opens a plaintext SMTP session

.sendmail()Sends an email

Sinks

— dangerous functions taint must not reach

.SMTP()Sink

Signature

smtplib.SMTP(host='', port=0, local_hostname=None, ...) -> SMTP

Opens a plaintext SMTP session. Finding if starttls is not called later.

.sendmail()Sink

Signature

SMTP.sendmail(from_addr, to_addrs, msg, mail_options=(), rcpt_options=())

Sends an email. Header-injection sink when msg / to_addrs is user-controlled without sanitization.

tracks:1, 2

Sanitizers

— functions that neutralize taint

.SMTP_SSL()Sanitizer

Signature

smtplib.SMTP_SSL(host='', port=0, ..., context=None) -> SMTP_SSL

Opens an SMTP session over TLS. Safe.

tracks:return

Fully-Qualified Names

FQN	Field
smtplib	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PySmtplib

← PreviousPySmtpd

Next →PySocket