{ "package": "requests", "archives": [ { "file": "/tmp/pip-download/requests-2.33.1.tar.gz", "type": "sdist", "findings": [ { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/__init__.py", "match_count": 3, "matches": [ { "line": 13, "content": ">>> import requests" }, { "line": 43, "content": "import urllib3" }, { "line": 45, "content": "from .exceptions import RequestsDependencyWarning" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/src/requests/__init__.py", "match_count": 2, "matches": [ { "line": 14, "content": ">>> r = requests.get('https://www.python.org')" }, { "line": 23, "content": ">>> r = requests.post('https://httpbin.org/post', data=payload)" } ] }, { "rule": "exec_eval", "severity": "HIGH", "description": "Dynamic code execution - can hide arbitrary payloads", "file": "requests-2.33.1/src/requests/_internal_utils.py", "match_count": 4, "matches": [ { "line": 13, "content": "_VALID_HEADER_NAME_RE_BYTE = re.compile(rb\"^[^:\\s][^:\\r\\n]*\\Z\")" }, { "line": 14, "content": "_VALID_HEADER_NAME_RE_STR = re.compile(r\"^[^:\\s][^:\\r\\n]*\\Z\")" }, { "line": 15, "content": "_VALID_HEADER_VALUE_RE_BYTE = re.compile(rb\"^\\S[^\\r\\n]*\\Z|^\\Z\")" }, { "line": 16, "content": "_VALID_HEADER_VALUE_RE_STR = re.compile(r\"^\\S[^\\r\\n]*\\Z|^\\Z\")" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/adapters.py", "match_count": 3, "matches": [ { "line": 10, "content": "import socket # noqa: F401" }, { "line": 159, "content": "which we retry a request, import urllib3's ``Retry`` class and pass" }, { "line": 165, "content": ">>> import requests" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/src/requests/adapters.py", "match_count": 1, "matches": [ { "line": 645, "content": "resp = conn.urlopen(" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/api.py", "match_count": 1, "matches": [ { "line": 49, "content": ">>> import requests" } ] }, { "rule": "exec_eval", "severity": "HIGH", "description": "Dynamic code execution - can hide arbitrary payloads", "file": "requests-2.33.1/src/requests/auth.py", "match_count": 1, "matches": [ { "line": 262, "content": "pat = re.compile(r\"digest \", flags=re.IGNORECASE)" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/help.py", "match_count": 1, "matches": [ { "line": 9, "content": "import urllib3" } ] }, { "rule": "platform_detect", "severity": "LOW", "description": "Platform detection - may be targeting specific OS", "file": "requests-2.33.1/src/requests/help.py", "match_count": 1, "matches": [ { "line": 70, "content": "\"system\": platform.system()," } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/models.py", "match_count": 2, "matches": [ { "line": 254, "content": ">>> import requests" }, { "line": 325, "content": ">>> import requests" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/sessions.py", "match_count": 1, "matches": [ { "line": 364, "content": ">>> import requests" } ] }, { "rule": "platform_detect", "severity": "LOW", "description": "Platform detection - may be targeting specific OS", "file": "requests-2.33.1/src/requests/sessions.py", "match_count": 1, "matches": [ { "line": 56, "content": "if sys.platform == \"win32\":" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/status_codes.py", "match_count": 1, "matches": [ { "line": 8, "content": ">>> import requests" } ] }, { "rule": "exec_eval", "severity": "HIGH", "description": "Dynamic code execution - can hide arbitrary payloads", "file": "requests-2.33.1/src/requests/utils.py", "match_count": 3, "matches": [ { "line": 493, "content": "charset_re = re.compile(r']', flags=re.I)" }, { "line": 494, "content": "pragma_re = re.compile(r']', flags=re.I)" }, { "line": 495, "content": "xml_re = re.compile(r'^<\\?xml.*?encoding=[\"\\']*(.+?)[\"\\'>]')" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/src/requests/utils.py", "match_count": 1, "matches": [ { "line": 14, "content": "import socket" } ] }, { "rule": "env_credential_harvest", "severity": "CRITICAL", "description": "Environment variable credential harvesting", "file": "requests-2.33.1/src/requests/utils.py", "match_count": 2, "matches": [ { "line": 762, "content": "return os.environ.get(key) or os.environ.get(key.upper())" }, { "line": 762, "content": "return os.environ.get(key) or os.environ.get(key.upper())" } ] }, { "rule": "platform_detect", "severity": "LOW", "description": "Platform detection - may be targeting specific OS", "file": "requests-2.33.1/src/requests/utils.py", "match_count": 1, "matches": [ { "line": 73, "content": "if sys.platform == \"win32\":" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_adapters.py", "match_count": 1, "matches": [ { "line": 1, "content": "import requests.adapters" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_hooks.py", "match_count": 1, "matches": [ { "line": 3, "content": "from requests import hooks" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_lowlevel.py", "match_count": 1, "matches": [ { "line": 5, "content": "import requests" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/tests/test_lowlevel.py", "match_count": 13, "matches": [ { "line": 32, "content": "r = requests.post(url, data=data, stream=True)" }, { "line": 59, "content": "requests.get(url)" }, { "line": 73, "content": "r = requests.post(url, data=data, headers={\"Host\": custom_host}, stream=True)" }, { "line": 91, "content": "r = requests.post(url, data=data, stream=True)" }, { "line": 123, "content": "requests.get(url)" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_packages.py", "match_count": 1, "matches": [ { "line": 1, "content": "import requests" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_requests.py", "match_count": 2, "matches": [ { "line": 16, "content": "import urllib3" }, { "line": 19, "content": "import requests" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/tests/test_requests.py", "match_count": 96, "matches": [ { "line": 113, "content": "requests.get(url)" }, { "line": 215, "content": "r = requests.get(httpbin(\"redirect\", \"1\"))" }, { "line": 221, "content": "r = requests.post(" }, { "line": 233, "content": "r = requests.post(" }, { "line": 245, "content": "requests.get(httpbin(\"relative-redirect\", \"50\"))" } ] }, { "rule": "credential_paths", "severity": "CRITICAL", "description": "References to credential/secret file paths", "file": "requests-2.33.1/tests/test_requests.py", "match_count": 1, "matches": [ { "line": 1879, "content": "\"file:///etc/passwd\"," } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_testserver.py", "match_count": 2, "matches": [ { "line": 1, "content": "import socket" }, { "line": 7, "content": "import requests" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/tests/test_testserver.py", "match_count": 12, "matches": [ { "line": 23, "content": "sock = socket.socket()" }, { "line": 33, "content": "sock = socket.socket()" }, { "line": 39, "content": "new_sock = socket.socket()" }, { "line": 49, "content": "r = requests.get(f\"http://{host}:{port}\")" }, { "line": 58, "content": "r = requests.get(f\"http://{host}:{port}\")" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/test_utils.py", "match_count": 2, "matches": [ { "line": 12, "content": "from requests import compat" }, { "line": 14, "content": "from requests.cookies import RequestsCookieJar" } ] }, { "rule": "platform_detect", "severity": "LOW", "description": "Platform detection - may be targeting specific OS", "file": "requests-2.33.1/tests/test_utils.py", "match_count": 3, "matches": [ { "line": 847, "content": "@pytest.mark.skipif(os.name != \"nt\", reason=\"Test only on Windows\")" }, { "line": 900, "content": "@pytest.mark.skipif(os.name != \"nt\", reason=\"Test only on Windows\")" }, { "line": 961, "content": "@pytest.mark.skipif(os.name != \"nt\", reason=\"Test only on Windows\")" } ] }, { "rule": "network_import", "severity": "HIGH", "description": "Network library import - package may exfiltrate data during install", "file": "requests-2.33.1/tests/testserver/server.py", "match_count": 1, "matches": [ { "line": 2, "content": "import socket" } ] }, { "rule": "network_call", "severity": "CRITICAL", "description": "Active network call during install", "file": "requests-2.33.1/tests/testserver/server.py", "match_count": 2, "matches": [ { "line": 83, "content": "sock = socket.socket()" }, { "line": 172, "content": "sock = socket.socket()" } ] } ], "files_analyzed": [ "requests-2.33.1/pyproject.toml", "requests-2.33.1/setup.cfg", "requests-2.33.1/setup.py", "requests-2.33.1/src/requests/__init__.py", "requests-2.33.1/src/requests/__version__.py", "requests-2.33.1/src/requests/_internal_utils.py", "requests-2.33.1/src/requests/adapters.py", "requests-2.33.1/src/requests/api.py", "requests-2.33.1/src/requests/auth.py", "requests-2.33.1/src/requests/certs.py", "requests-2.33.1/src/requests/compat.py", "requests-2.33.1/src/requests/cookies.py", "requests-2.33.1/src/requests/exceptions.py", "requests-2.33.1/src/requests/help.py", "requests-2.33.1/src/requests/hooks.py", "requests-2.33.1/src/requests/models.py", "requests-2.33.1/src/requests/packages.py", "requests-2.33.1/src/requests/sessions.py", "requests-2.33.1/src/requests/status_codes.py", "requests-2.33.1/src/requests/structures.py", "requests-2.33.1/src/requests/utils.py", "requests-2.33.1/tests/__init__.py", "requests-2.33.1/tests/compat.py", "requests-2.33.1/tests/conftest.py", "requests-2.33.1/tests/test_adapters.py", "requests-2.33.1/tests/test_help.py", "requests-2.33.1/tests/test_hooks.py", "requests-2.33.1/tests/test_lowlevel.py", "requests-2.33.1/tests/test_packages.py", "requests-2.33.1/tests/test_requests.py", "requests-2.33.1/tests/test_structures.py", "requests-2.33.1/tests/test_testserver.py", "requests-2.33.1/tests/test_utils.py", "requests-2.33.1/tests/testserver/__init__.py", "requests-2.33.1/tests/testserver/server.py", "requests-2.33.1/tests/utils.py" ], "install_scripts": [ "requests-2.33.1/pyproject.toml", "requests-2.33.1/setup.cfg", "requests-2.33.1/setup.py", "requests-2.33.1/src/requests/__init__.py", "requests-2.33.1/tests/__init__.py", "requests-2.33.1/tests/conftest.py", "requests-2.33.1/tests/testserver/__init__.py" ], "metadata": {} } ], "risk_score": 179, "risk_level": "CRITICAL", "summary": [ "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/__init__.py", "[CRITICAL] Active network call during install in requests-2.33.1/src/requests/__init__.py", "[HIGH] Dynamic code execution - can hide arbitrary payloads in requests-2.33.1/src/requests/_internal_utils.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/adapters.py", "[CRITICAL] Active network call during install in requests-2.33.1/src/requests/adapters.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/api.py", "[HIGH] Dynamic code execution - can hide arbitrary payloads in requests-2.33.1/src/requests/auth.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/help.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/models.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/sessions.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/status_codes.py", "[HIGH] Dynamic code execution - can hide arbitrary payloads in requests-2.33.1/src/requests/utils.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/src/requests/utils.py", "[CRITICAL] Environment variable credential harvesting in requests-2.33.1/src/requests/utils.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_adapters.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_hooks.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_lowlevel.py", "[CRITICAL] Active network call during install in requests-2.33.1/tests/test_lowlevel.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_packages.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_requests.py", "[CRITICAL] Active network call during install in requests-2.33.1/tests/test_requests.py", "[CRITICAL] References to credential/secret file paths in requests-2.33.1/tests/test_requests.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_testserver.py", "[CRITICAL] Active network call during install in requests-2.33.1/tests/test_testserver.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/test_utils.py", "[HIGH] Network library import - package may exfiltrate data during install in requests-2.33.1/tests/testserver/server.py", "[CRITICAL] Active network call during install in requests-2.33.1/tests/testserver/server.py" ] }