Web Frameworks

Celery is a distributed task queue. Celery(broker=..., backend=...) configures brokers — findings when broker URL has insecure defaults (redis:// without TLS, amqp:// without TLS). @task decorators accept arbitrary user-controlled args via the queue.

The cgi module (deprecated in 3.11, removed in 3.13). cgi.FieldStorage collects form data for CGI scripts — each field value is a source. Any new code should not use cgi.

Python stdlib module — cgitb. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — channels. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Django is a full-featured Python web framework. HttpRequest exposes request data; the ORM Manager.raw() and Cursor.execute() are SQL injection sinks when the SQL is built from user input. Template rendering via mark_safe bypasses auto-escaping (XSS sink).

django-filter builds Django QuerySet filters from query params. FilterSet.qs runs the filtered query — injection is impossible via the FilterSet, but custom filter methods that build raw SQL are sinks.

Third-party Python package module — fanstatic. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

FastAPI is a modern Python web framework built on Starlette and Pydantic. Path / query / body parameters declared on endpoints are sources. Response helpers inherited from Starlette include HTMLResponse and RedirectResponse (XSS and open-redirect sinks).

Flask is a popular Python web microframework. The flask.request global exposes all HTTP input (args, form, json, files, headers, cookies) as taint sources. Response helpers like render_template (SSTI if template is user-controlled) and redirect (open-redirect) are sinks.

flask-cors configures CORS headers on Flask apps. CORS(app, origins='*') with supports_credentials=True is a major finding (wildcard origin with credentials is explicitly forbidden by browsers but some configurations still emit it).

Third-party Python package module — flask_migrate. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — flask_socketio. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — gevent. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — greenlet. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — grpc. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — grpc_channelz. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — grpc_health. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — grpc_reflection. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — grpc_status. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

gunicorn is a production WSGI server. Commonly run via CLI but programmatic use via Application() is possible. bind '0.0.0.0:*' on internal apps is a finding.

jsonschema validates JSON documents against a schema. validate() is a sanitizer for shape-checking untrusted JSON before passing fields to other sinks.

Pydantic provides strict type-validated models. BaseModel parses / coerces input and raises on mismatch — the parsed model is a sanitizer for the raw input. Still, string fields on the model can remain tainted (not magically escaped).

Django REST Framework (DRF). request.data is the primary source for JSON / form payloads; serializers validate input (sanitizer when is_valid is called with raise_exception=True). Response() with tainted data is generally safe due to DRF's renderers but render_template is still worth watching.

Third-party Python package module — simple_websocket. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Starlette is the ASGI toolkit behind FastAPI. Request exposes HTTP input; the responses module provides HTMLResponse / RedirectResponse / FileResponse (sinks for XSS, open-redirect, path-traversal respectively).

Third-party Python package module — uwsgi. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

waitress is a production WSGI server. serve() with host='0.0.0.0' exposes the app to all interfaces — finding for internal-only services.

Werkzeug is the WSGI toolkit Flask is built on. safe_join() is the canonical path-traversal sanitizer for serving files. utils.redirect is where Flask's open-redirect surface originates.

The wsgiref module for WSGI utilities. simple_server.make_server is dev-only — production should use gunicorn or waitress. util.request_uri reconstructs the URL from environ and is a source.

WTForms provides form validation for Flask / Django-style apps. Form().validate_on_submit() is a sanitizer for field-level validation. Still, string field values reach templates / SQL if fed directly without additional escaping.