sdk/python/Web Frameworks/PyFlask
Web Frameworks

PyFlask

Flask is a popular Python web microframework. The flask.request global exposes all HTTP input (args, form, json, files, headers, cookies) as taint sources. Response helpers like render_template (SSTI if template is user-controlled) and redirect (open-redirect) are sinks.

5 sources3 sinks
Taint flow5 sources 3 sinks
Sources — untrusted input
.request.args()
.request.form()
.request.get_json()
.request.cookies()
.request.headers()
taint
Sinks — dangerous call
.render_template_string()
.redirect()
.send_file()

Sources

.request.args()Source
#
Signature
request.args: MultiDict

URL query string. All values are user-controlled.

tracks:return
.request.form()Source
#
Signature
request.form: MultiDict

POST form data (application/x-www-form-urlencoded, multipart/form-data).

tracks:return
.request.get_json()Source
#
Signature
request.get_json(force=False, silent=False, cache=True) -> Any

Parsed JSON request body. User-controlled.

tracks:return
.request.cookies()Source
#
Signature
request.cookies: ImmutableMultiDict

Request cookies. User-controlled.

tracks:return
.request.headers()Source
#
Signature
request.headers: EnvironHeaders

Request headers. User-controlled.

tracks:return

Sinks

.render_template_string()Sink
#
Signature
flask.render_template_string(source: str, **context) -> str

Renders a template from a raw string. SSTI sink when source contains user input.

tracks:0
.redirect()Sink
#
Signature
flask.redirect(location: str, code: int = 302) -> Response

Returns a redirect response. Open-redirect sink when location is user-controlled.

tracks:0
.send_file()Sink
#
Signature
flask.send_file(path_or_file, ...) -> Response

Serves a file. Path-traversal sink when path is user-controlled.

tracks:0

Fully-Qualified Names

FQNField
flaskfqns[0]
flask.Requestfqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyFlask
Next →PyFlaskCors