sdk/python/Web Frameworks/PyFastAPI

PyFastAPI

FastAPI is a modern Python web framework built on Starlette and Pydantic. Path / query / body parameters declared on endpoints are sources. Response helpers inherited from Starlette include HTMLResponse and RedirectResponse (XSS and open-redirect sinks).

4 sources2 sinks

Taint flow4 sources → 2 sinks

Sources — untrusted input

.Request.query_params()URL query parameters

.Request.cookies()Request cookies

.Request.headers()Request headers

.Request.json()Parsed JSON request body

→

taint

Sinks — dangerous call

.HTMLResponse()Returns raw HTML

.RedirectResponse()Returns a redirect

Sources

— user-controlled input enters here

.Request.query_params()Source

Signature

request.query_params: QueryParams

URL query parameters. User-controlled.

tracks:return

.Request.cookies()Source

Signature

request.cookies: dict[str, str]

Request cookies. User-controlled.

tracks:return

.Request.headers()Source

Signature

request.headers: Headers

Request headers. User-controlled.

tracks:return

.Request.json()Source

Signature

async Request.json() -> Any

Parsed JSON request body. User-controlled.

tracks:return

Sinks

— dangerous functions taint must not reach

.HTMLResponse()Sink

Signature

HTMLResponse(content: str, status_code: int = 200, ...) -> Response

Returns raw HTML. XSS sink when content contains unescaped user input.

tracks:0

.RedirectResponse()Sink

Signature

RedirectResponse(url: str, status_code: int = 307, ...) -> Response

Returns a redirect. Open-redirect sink when url is user-controlled.

tracks:0

Fully-Qualified Names

FQN	Field
fastapi	fqns[0]
fastapi.Request	fqns[1]
starlette.requests.Request	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyFastAPI

← PreviousPyFanstatic

Next →PyFlask