Close Open Privacy Scan
App Privacy Score
Medium risk · 1611 finding(s)
Dependency score: 0 (High risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Potential data exfiltration in application code
External domains:
0001:002:003:0004::11.2.3.4aiplatform.eu.rep.googleapis.comaiplatform.googleapis.comaiplatform.us.rep.googleapis.comapi.anthropic.comapi.eu.mistral.aiapi.github.comapi.groq.comapi.mistral.aiapi.netlify.comapi.openai.comapi.us.mistral.aiauth.openai.combjoern.hoehrmann.debugs.python.orgcdnjs.cloudflare.comclaude.googleapis.comcloud.google.comcode.activestate.comconsole.groq.comconsole.mistral.aicookbook.openai.comcreativecommons.orgcryptography.iocurl.sedatatracker.ietf.orgdeveloper.mozilla.orgdocs.anthropic.comdocs.cohere.aidocs.mathjax.orgdocs.mistral.aidocs.pydantic.devdocs.python.orgdocutils.sourceforge.netduckduckgo.comen.wikipedia.orgengineering.salesforce.comeventlet.readthedocs.ioexample-resource.azure.openai.comexample-resource.services.ai.azure.comflask.palletsprojects.comgit-scm.comgithub.bloggithub.comgithub.github.comgoogle.comgoogle.github.iohelp.openai.comhtml.duckduckgo.comhtml.spec.whatwg.orghttpbin.orghttpwg.orghuggingface.coimg.website.comjira.atlassian.comjson-schema.orgjsonlines.orglangchain.readthedocs.iolearn.microsoft.comlinks.duckduckgo.comlite.duckduckgo.commanagement.azure.commaruku.rubyforge.orgmichelf.commodel-spec.openai.commodelcontextprotocol.ionginx.orgnodatime.orgnull.python.orgocsp.verisign.comollama.comopenai.comopenaipublic.blob.core.windows.netopensource.orgopentelemetry.iopackaging.python.orgpartners.adobe.complatform.claude.complatform.openai.compygments.orgpypi.orgpypi.python.orgpython-markdown.github.iopython.example.orgpython.orgrequests.readthedocs.iosetuptools.readthedocs.iosome.hostnamespeakeasy.comspec.commonmark.orgstackoverflow.comsvrintl-g3-aia.verisign.comsvrintl-g3-crl.verisign.comtestca.pythontest.nettfhub.devtimeapi.iotools.ietf.orgtowardsdatascience.comtwitter.comtyping-extensions.readthedocs.iounpkg.comurllib3.readthedocs.iowebsockets.readthedocs.iowww.apache.orgwww.bing.comwww.blackhat.comwww.cacert.orgwww.cracker.comwww.ctan.orgwww.djangoproject.comwww.dnspython.orgwww.gevent.orgwww.github.comwww.gitlab.comwww.google.comwww.googleapis.comwww.iana.orgwww.itu.intwww.libpng.orgwww.linuxprogrammingblog.comwww.microsoft.comwww.openssl.orgwww.opentable.comwww.perl.orgwww.pyopenssl.orgwww.python.orgwww.rfc-editor.orgwww.sbert.netwww.w3.orgwwwsearch.sf.netyahoo.comzopecomponent.readthedocs.io
repo/src/services/github.py:10 → repo/src/services/github.py:11</> First-Party Code
first-party (python)
python first-party response = requests.get(
"https://api.github.com/user/repos", headers=headers
)
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 30 low-confidence finding(s)
os.environ["TOKENIZERS_PARALLELISM"] = "false"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/action/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/answer/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/coder/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/decision/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/feature/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/formatter/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/internal_monologue/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/patcher/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/planner/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/reporter/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/researcher/prompt.jinja2").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROMPT = open("src/agents/runner/prompt.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RERUNNER_PROMPT = open("src/agents/runner/rerunner.jinja2", "r").read().strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = requests.get(self.bing_api_endpoint, headers=headers, params=params)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get(self.google_search_api_endpoint, params=params)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resp = self.asession.request(method, url, data=data)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open("sample.config.toml", "r") as f_in, open("config.toml", "w+") as f_out:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("sample.config.toml", "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("config.toml", "r+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("config.toml", "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("config.toml", "r+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(out_file_path, "wb") as out_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, 'r') as file_content:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.logger.pathName, "r") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(root, filename), 'r') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = requests.get(
"https://api.github.com/user/repos", headers=headers
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
</> Dependencies
mistralai
python dependencyfrom opentelemetry.propagate import inject
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import context as context_api
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import trace
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.trace import Span, Status, StatusCode, set_span_in_context
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import trace as otel_trace
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import opentelemetry.semconv._incubating.attributes.gen_ai_attributes as gen_ai_attributes
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import opentelemetry.semconv._incubating.attributes.http_attributes as http_attributes
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import opentelemetry.semconv.attributes.error_attributes as error_attributes
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import opentelemetry.semconv.attributes.server_attributes as server_attributes
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import context as context_api
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import propagate, trace
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.baggage import get_baggage
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.trace import Span, Status, StatusCode, Tracer, set_span_in_context
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace import ReadableSpan
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace.export import SpanExporter, SpanExportResult
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.resources import Resource
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace import Event, ReadableSpan
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.trace import Link, SpanKind, Status, StatusCode
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.util.types import AttributeValue
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import trace as otel_trace
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace import TracerProvider as SDKTracerProvider
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
OTLPSpanExporter,
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.resources import Resource
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace import TracerProvider
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.sdk.trace.export import BatchSpanProcessor
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import opentelemetry.semconv._incubating.attributes.gen_ai_attributes as gen_ai_attributes
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry import trace
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
from opentelemetry.trace import Status, StatusCode
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 11 low-confidence finding(s)
env_value = os.getenv(env_key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_value = os.getenv(env_key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("MISTRAL_DEBUG"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("MISTRAL_API_KEY"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
security_dict["api_key"] = os.getenv("MISTRAL_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_value = os.getenv(env_key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = await async_client.post(register_endpoint, json=registration_payload)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = httpx.get(
self._sse_params.url,
headers=self._format_headers(),
timeout=self._sse_params.timeout,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.getenv("MISTRAL_SDK_DEBUG_TRACING", "false").lower() == "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_value = os.getenv(MISTRAL_SDK_TELEMETRY_ENV)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.getenv(
MISTRAL_OTLP_TRACES_ENDPOINT_ENV,
MISTRAL_TELEMETRY_ENDPOINT,
).strip() or MISTRAL_TELEMETRY_ENDPOINT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Flask-SocketIO
python dependencyexpand_more 1 low-confidence finding(s)
if os.environ.get('FLASK_RUN_FROM_CLI'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GitPython
python dependencyexpand_more 55 low-confidence finding(s)
with open(os.path.join(os.path.dirname(__file__), "..", "..", "VERSION")) as fd:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GIT_PYTHON_TRACE = os.environ.get("GIT_PYTHON_TRACE", False)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
new_git = os.environ.get(cls._git_exec_env_var, cls.git_exec_name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mode = os.environ.get(cls._refresh_env_var, "raise").lower()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
stdout_sink = PIPE if with_stdout else getattr(subprocess, "DEVNULL", None) or open(os.devnull, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fp, "wb") as fp_open:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(filepath, "rb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self._commit_editmsg_filepath(), "wb") as commit_editmsg_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self._commit_editmsg_filepath(), "rb") as commit_editmsg_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(git_file, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filepath, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fd = open(filepath, "ab")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cls._get_packed_refs_path(repo), "rt", encoding="UTF-8") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(repodir, ref_path), "rt", encoding="UTF-8") as fp: # type: ignore[arg-type]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(pack_file_path, "rb") as reader:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(pack_file_path, "wb") as fd:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(abs_ref_path, "rb") as fd:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(new_abs_path, "rb") as fd1:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cur_abs_path, "rb") as fd2:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fetch_head.abspath, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
epath = path or os.getenv("GIT_DIR")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "GIT_WORK_TREE" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self._working_tree_dir = os.getenv("GIT_WORK_TREE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(osp.join(git_dir, "gitdir")) as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get("GIT_COMMON_DIR") is None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "GIT_WORK_TREE" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self._working_tree_dir = os.getenv("GIT_WORK_TREE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
common_dir = (Path(self.git_dir) / "commondir").read_text().splitlines()[0].strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(alternates_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(alternates_path, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(rebase_head_file, "rt") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "ab"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (osp.isdir(osp.join(d, "objects")) or "GIT_OBJECT_DIRECTORY" in os.environ) and osp.isdir(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
lines = Path(dotgit).read_text().splitlines()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(d) as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ[name]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
old_value = os.getenv(name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ[name] = value
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
del os.environ[name]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ[name] = old_value
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATHEXT = os.environ.get("PATHEXT", None)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
path = os.environ["PATH"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
val = os.environ[evar]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(lock_file, mode="w"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (Path(__file__).parent / path).read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Jinja2
python dependencyexpand_more 7 low-confidence finding(s)
f = open(filename, "rb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
code = self.client.get(self.prefix + bucket.key)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os.path.join(target, filename), "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
real_fp: t.IO[bytes] = open(fp, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, encoding=self.encoding) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(p, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(filename, mode)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Markdown
python dependencyexpand_more 4 low-confidence finding(s)
with open(
options.configfile, mode="r", encoding=options.encoding
) as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
input_file = open(input, mode="r", encoding=encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(infile, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(outfile, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
anthropic
python dependencyexpand_more 122 low-confidence finding(s)
anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
print("Created environment:", environment.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created agent:", agent.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created session:", session.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print(event.to_json(indent=2))
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
github_token = os.environ.get("GITHUB_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
print("Created environment:", environment.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created vault:", vault.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created credential:", credential.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
with open(skill_md_path, "rb") as skill_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
print("Created skill:", skill.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created agent v1:", agent_v1.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Patched agent to v2:", agent.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Agent versions:", versions.data)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created session:", session.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print(event.to_json(indent=2))
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
print("Created environment:", environment.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created agent:", agent.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Uploaded file:", file.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Created session:", session.id)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print("Listed session resources:", resources.data)
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
print(event.to_json(indent=2))
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
val = os.environ.get(name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workdir = os.environ.get("ANTHROPIC_WORKDIR", ".")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
val = os.environ.get(name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workdir = os.environ.get("ANTHROPIC_WORKDIR", ".")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
identity_token_provider=lambda: os.environ["ANTHROPIC_IDENTITY_TOKEN"],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await self._client.request(self._page_cls, self._options)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if api_key is not None and os.environ.get("ANTHROPIC_API_KEY"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if auth_token is not None and os.environ.get("ANTHROPIC_AUTH_TOKEN"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("ANTHROPIC_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webhook_key = os.environ.get("ANTHROPIC_WEBHOOK_SIGNING_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("ANTHROPIC_CUSTOM_HEADERS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("ANTHROPIC_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webhook_key = os.environ.get("ANTHROPIC_WEBHOOK_SIGNING_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("ANTHROPIC_CUSTOM_HEADERS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return pathlib.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, await path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await anyio.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get("ANTHROPIC_LOG")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = data.read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = await anyio.Path(data).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
contents = Path(path).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
files.append((path.relative_to(relative_to).as_posix(), path.read_bytes()))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
files.append((path.relative_to(relative_to).as_posix(), await path.read_bytes()))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ.get(var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
aws_region = os.environ.get("AWS_REGION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_BEDROCK_MANTLE_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
federation_rule_id = os.environ.get(ENV_FEDERATION_RULE_ID)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
organization_id = os.environ.get(ENV_ORGANIZATION_ID)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
has_literal_token = ENV_IDENTITY_TOKEN in os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ.get(ENV_IDENTITY_TOKEN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
service_account_id=os.environ.get(ENV_SERVICE_ACCOUNT_ID),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workspace_id=os.environ.get(ENV_WORKSPACE_ID) or None,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
scope=os.environ.get(ENV_SCOPE),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get(ENV_API_KEY):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.environ.get(ENV_AUTH_TOKEN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_explicit = bool(os.environ.get(ENV_PROFILE) or os.environ.get(ENV_CONFIG_DIR))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get(ENV_CONFIG_DIR)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
appdata = os.environ.get("APPDATA")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
name = (_config_dir() / "active_config").read_text(encoding="utf-8").strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get(ENV_PROFILE)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get(ENV_IDENTITY_TOKEN_FILE)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get(ENV_PROFILE) or os.environ.get(ENV_CONFIG_DIR):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get(ENV_FEDERATION_RULE_ID) and os.environ.get(ENV_ORGANIZATION_ID):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get(ENV_IDENTITY_TOKEN_FILE) or os.environ.get(ENV_IDENTITY_TOKEN):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
v = os.environ.get(env_var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
v = os.environ.get(ENV_IDENTITY_TOKEN_FILE)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ.get(self._env_var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = self._config_path.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
creds: Dict[str, Any] = _wrap_secret_fields(json.loads(path.read_text(encoding="utf-8")))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resp = self._get_http_client().post(
f"{self._base_url}{TOKEN_ENDPOINT}",
# Serialized inline so the raw request bytes are never bound
# to a local here; SecretStr values unwrap at dump time.
content=_json_dumps_secrets(body),
headers={
"Content-Type": "application/json",
# oauth-2025-04-20 unlocks the token endpoint family. Do
# NOT send oidc-federation-2026-04-01 — that's a routing
# switch that misroutes refresh_token grants to the Go
# userauth handler, which only accepts jwt-bearer.
"anthropic-beta": OAUTH_API_BETA_HEADER,
"User-Agent": _user_agent(),
},
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
content = self._path.read_text(encoding="utf-8").strip()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resp = self._http_client.post(
url,
# Serialized inline so the raw request bytes are never bound
# to a local here; SecretStr values unwrap at dump time.
content=_json_dumps_secrets(body),
headers={
"anthropic-beta": _JWT_BEARER_BETA_HEADER,
"Content-Type": "application/json",
"User-Agent": _user_agent(),
},
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resolved = value or os.environ.get(env_var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
location = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_LOCATION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_PROJECT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("GOOGLE_CLOUD_PROJECT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workspace_id = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_WORKSPACE_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
location = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_LOCATION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_PROJECT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("GOOGLE_CLOUD_PROJECT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workspace_id = os.environ.get("ANTHROPIC_GOOGLE_CLOUD_WORKSPACE_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return full_path.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await full_path.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with zf.open(info) as src, open(target, "wb") as out:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with extracted as src, open(target, "wb") as out:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return {k: v for k, v in os.environ.items() if not k.startswith("ANTHROPIC_")}
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
text = target.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
target.write_text(content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
text = target.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
target.write_text(updated)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project_id = os.environ.get("ANTHROPIC_VERTEX_PROJECT_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
colorama
python dependencyexpand_more 1 low-confidence finding(s)
if 'PYCHARM_HOSTED' in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
curl_cffi
python dependencyexpand_more 14 low-confidence finding(s)
with open(output_path, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
files[field_name] = open(filepath, "rb") # noqa: SIM115
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filepath) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filepath) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
path = os.environ.get(env_var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.get("REQUESTS_CA_BUNDLE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("CURL_CA_BUNDLE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("CIBW_PLATFORM") == "android"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("ANDROID_ROOT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("ANDROID_DATA")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("TERMUX_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(Path(__file__).parent.parent / "libs.json") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "CI" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(root_dir / "ffi/cdef.c") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
duckduckgo-search
python dependencyexpand_more 5 low-confidence finding(s)
with open(jsonfile, "w", encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(csvfile, "w", newline="", encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(dir_path, filename[:200]), "wb") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ddgs_proxy: str | None = os.environ.get("DDGS_PROXY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resp = self.client.request(
method,
url,
params=params,
content=content,
data=data,
headers=headers,
cookies=cookies,
json=json,
timeout=timeout or self.timeout,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
eventlet
python dependencyexpand_more 20 low-confidence finding(s)
if os.environ.get("EVENTLET_TESTS") is None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self._pool.put(self)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(filename) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open(path, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = copy.deepcopy(os.environ)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get("EVENTLET_NO_GREENDNS", '').lower() != 'yes':
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(name, mode) as fd:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mod = os.environ.get('EVENTLET_HUB', None)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "PYTEST_CURRENT_TEST" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(sys.argv[0]) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (os.environ.get('EVENTLET_DEPRECATED_EAI_NODATA', '').lower() in ('1', 'y', 'yes')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.fname, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
_nthreads = int(os.environ.get('EVENTLET_THREADPOOL_SIZE', 20))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [open(os.path.join(
os.path.dirname(__file__),
'websocket_chat.html')).read() % dict(port=port)]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
d = feedparser.parse(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
data = urlopen(url).read().decode()
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return [open(os.path.join(
os.path.dirname(__file__),
'websocket.html')).read()]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [open(html_path).read() % {'port': PORT}]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fastlogging
python dependencyexpand_more 9 low-confidence finding(s)
self.F = open(pathName, "a", encoding=Logger.encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path_join(dirName, dstFileName), "wb") as Z:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Z.write(Logger.compress[0].compress(open(pathName, "rb").read()))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.F = open(pathName, "a", encoding=Logger.encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tree = ast.parse(open(fileName).read())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.splitext(fileName)[0] + ".pyc", 'wb') as F:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path_out, 'w') as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
for line in open(path_in):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(BASEDIR, 'README.rst'), encoding='utf-8') as F:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
flask
python dependencyexpand_more 21 low-confidence finding(s)
return open(path, mode) # pyright: ignore
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(path, mode, encoding=encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(path, mode)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(path, mode, encoding=encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get("FLASK_RUN_FROM_CLI") == "true":
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "FLASK_DEBUG" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(path, mode) # pyright: ignore
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return open(path, mode, encoding=encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["FLASK_DEBUG"] = "1" if value else "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["FLASK_RUN_FROM_CLI"] = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if key in os.environ or value is None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ[key] = value
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
startup = os.environ.get("PYTHONSTARTUP")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(startup) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rv = os.environ.get(variable_name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
for key in sorted(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ[key]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, mode="rb") as config_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "r" if text else "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
val = os.environ.get("FLASK_DEBUG")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
val = os.environ.get("FLASK_SKIP_DOTENV")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gevent
python dependencyexpand_more 996 low-confidence finding(s)
cflags = _distutils_cflags + ((' ' + os.environ['CFLAGS']) if os.environ.get("CFLAGS") else '')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if 'GEVENT_MANYLINUX' in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('configure-output.txt', 'r') as t:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.environ.get('GEVENTSETUP_EV_VERIFY') is not None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
('EV_VERIFY', os.environ['GEVENTSETUP_EV_VERIFY']))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_TRAVIS = os.environ.get('TRAVIS')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_APPVEYOR = os.environ.get('APPVEYOR')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_GITHUB_ACTIONS = os.environ.get('GITHUB_ACTIONS')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(THIS_DIR, *names)) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = os.environ.get(key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = env or os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
','.join([k for k in os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PURE_PYTHON'] = '1'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = requests.get(url).text
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.pool.put(item)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.environ['DJANGO_SETTINGS_MODULE'] = 'webchat.settings'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = urllib2.urlopen(path)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = requests.get(url, headers=make_auth_headers())
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get(url, headers=make_auth_headers())
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get(url, headers=headers, stream=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(filename, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'rb') as fzip:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if not os.environ.get('PYTHON_EXE'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHON_EXE'] = 'pypy' if PYPY else 'python'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if not os.environ.get('PYEXE'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYEXE'] = os.environ['PYTHON_EXE']
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv('READTHEDOCS'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
new_path = os.environ['PATH'] + os.pathsep + os.path.dirname(sys.executable)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PATH'] = new_path
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GLOBAL_PURE_PYTHON = bool(PYPY or os.environ.get('PURE_PYTHON'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
_GEVENT_PURE_PYTHON = os.environ.get('GEVENT_PURE_PYTHON')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
result = os.environ.get(self.environment_key, self.default)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GEVENT_DEBUG_LEVEL = vars()[os.getenv("GEVENT_DEBUG", 'CRITICAL').upper()]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(thisdir, name), 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(thisdir, name), 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DISABLE_QUEUE_PATCH = os.environ.get('GEVENT_MONKEY_DISABLE_QUEUE_QUEUE', 'false')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.fname, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
comspec = os.environ.get("COMSPEC", "cmd.exe")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if not os.environ.get('GEVENT_TEST_SKIP_COVERAGE'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(test_filename, encoding='utf-8') as module_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
remove_file = not os.environ.get('GEVENT_DEBUG')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(tmpname) as fobj: # pylint:disable=unspecified-encoding
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if 'thread' in os.getenv('GEVENT_FILE', ''):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resource_str = os.environ.get('GEVENTTEST_USE_RESOURCES')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
CFFI_BACKEND = PYPY or LIBUV or 'cffi' in os.getenv('GEVENT_LOOP', '')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUN_LEAKCHECKS = os.getenv('GEVENTTEST_LEAKCHECK')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUN_COVERAGE = os.getenv("COVERAGE_PROCESS_START") or os.getenv("GEVENTTEST_COVERAGE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_GITHUB_ACTIONS = os.environ.get('GITHUB_ACTIONS')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_TRAVIS = os.environ.get('TRAVIS') or RUNNING_ON_GITHUB_ACTIONS
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_APPVEYOR = os.environ.get('APPVEYOR')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_MANYLINUX = os.environ.get('GEVENT_MANYLINUX')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RUNNING_ON_MUSLLINUX = 'musllinux' in os.environ.get('GEVENT_MANYLINUX_NAME', '')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RESOLVER_ARES = os.getenv('GEVENT_RESOLVER') == 'ares'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
RESOLVER_DNSPYTHON = os.getenv('GEVENT_RESOLVER') == 'dnspython'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEFAULT_NWORKERS = int(os.environ.get('NWORKERS') or max(AVAIL_NWORKERS, 4))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(abs_filename, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_package_relative_filename(filename, package)) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return not bool(os.environ.get(key))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONWARNINGS'] = ','.join(defaults + [
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONFAULTHANDLER'] = 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['GEVENT_DEBUG'] = 'debug'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONTRACEMALLOC'] = '10'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONDEVMODE'] = '1'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONMALLOC'] = 'debug'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONMALLOC'] = 'default'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONDEVMODE'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.pop('PYTHONSAFEPATH', None)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
k: os.environ[k]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
for k in os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['GEVENTTEST_USE_RESOURCES'] = unparse_resources(options.use)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if 'GEVENTTEST_QUIET' not in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['GEVENTTEST_QUIET'] = str(options.quiet)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if options.coverage or os.environ.get("GEVENTTEST_COVERAGE"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cov_config = os.environ['COVERAGE_PROCESS_START'] = os.path.abspath(".coveragerc")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cov_config = os.environ['COVERAGE_PROCESS_START'] = os.path.abspath(".coveragerc-pypy")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONPATH'] = site_dir + os.pathsep + os.environ.get("PYTHONPATH", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['COVERAGE_FILE'] = os.path.abspath(".") + os.sep + ".coverage"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
print("Enabling coverage to", os.environ['COVERAGE_FILE'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(options.config) as f: # pylint:disable=unspecified-encoding
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['PYTHONPATH'] = os.environ.get('PYTHONPATH', "") + os.pathsep + package_dir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
QUIET = validate_bool(os.environ.get('GEVENTTEST_QUIET', '0'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = (env or os.environ).copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if not os.environ.get('DO_NOT_SETPGRP'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = env.copy() if env else os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if 'PYTHONPATH' not in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
path = os.environ['PYTHONPATH']
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=False)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context,
cert_file=CERT_localhost)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CERTFILE, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(req_file, 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cert_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','crl.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','serial'), 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_cert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_key.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.passwd.pem', 'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert2.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert3.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert4.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycertecc.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('allsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('idnsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('nosan.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=False)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port,
context=context, check_hostname=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context,
cert_file=CERT_localhost)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(req_file, 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cert_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','crl.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','serial'), 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_cert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_key.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.passwd.pem', 'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert2.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert3.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert4.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycertecc.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('allsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('idnsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('nosan.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return wrapped, open(r, encoding='utf-8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w') as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'w', encoding='utf-8') as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'w') as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(req_file, 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cert_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','crl.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','serial'), 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_cert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_key.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.passwd.pem', 'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert2.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert3.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert4.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycertecc.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('allsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('idnsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('nosan.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return wrapped, open(r, encoding='utf-8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w') as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'w', encoding='utf-8') as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SINGED_CERTFILE_ONLY) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(req_file, 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cert_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','crl.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','serial'), 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path + '.reference', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_cert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_key.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.passwd.pem', 'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert2.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert3.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert4.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycertecc.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('allsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('idnsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('nosan.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return wrapped, open(r, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = os_helper.EnvironmentVarGuard()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.__exit__()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.connection.request(method, uri, body, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.connection = http.client.HTTPSConnection(
self.HOST, self.PORT, context=context
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.connection.request(method, uri, body, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(tempname, 'wb') as temp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fullpath, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(self.tempdir_name, 'index.html'), 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.nocgi_path, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file1_path, 'w', encoding='utf-8') as file1:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file2_path, 'w', encoding='utf-8') as file2:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file3_path, 'w', encoding='utf-8') as file3:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file4_path, 'w', encoding='utf-8') as file4:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file5_path, 'w', encoding='utf-8') as file5:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.file6_path, 'w', encoding='utf-8') as file6:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SERVER_SOFTWARE'] = signature
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN) as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'a') as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'a') as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(data_file('keycert.pem.reference')) as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(data_file('keycert3.pem.reference')) as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SINGED_CERTFILE_ONLY) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open(os_helper.TESTFN, 'wb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.returned_obj = urllib.request.urlopen("file:%s" % self.quoted_pathname)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
for k in list(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self._saved_env = os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = collections.OrderedDict()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = self._saved_env
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['No_Proxy'] = 'localhost'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['http_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['HTTP_PROXY'] = 'http://somewhere:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = 'localhost, noproxy.com, my.proxy:1234'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['No_Proxy'] = 'xyz.com'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['http_proxy'] = 'http://somewhere:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['Http_Proxy'] = 'http://somewhereelse:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fp = urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
fp = urllib.request.urlopen(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resp = urllib.request.urlopen("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"http:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"https:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"http:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"https:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://something")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(tmp_fileurl) as fobj:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(tmp_fileurl)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.text_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.text_url_base64))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.image_url_resp = self.enterContext(urllib.request.urlopen(self.image_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
FILE = open(os_helper.TESTFN, 'wb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
FILE = open(second_temp, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with urllib.request.urlopen(file_url) as f:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertEqual(Request(url,
headers={"Spam-eggs": "blah"}
).headers["Spam-eggs"], "blah")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertEqual(Request(url,
headers={"spam-EggS": "blah"}
).headers["Spam-eggs"], "blah")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url, headers={"Spam-eggs": "blah"})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return Request("http://blah/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
f = open(TESTFN, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open(TESTFN, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/","badpost")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", data)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/", f, {})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/", f, {"Content-Length": 30})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", file_obj, {})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", file_obj, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", proc.stdout, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", iterable_body(), headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = h.do_request_(Request("http://example.com/", ()))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", iterable_array, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
r = Request('http://example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
r = Request('http://www.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(weird_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url_without_path)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
fp = urllib.request.urlopen("http://python.org/path")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = opener.open('http://example.com/')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url, method="HEAD")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://acme.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.perl.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("https://www.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("https://www.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://dummy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://dummy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.get = Request("http://www.python.org/~jeremy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.post = Request("http://www.python.org/~jeremy/",
"data",
headers={"X-Test": "test"})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.head = Request("http://www.python.org/~jeremy/", method='HEAD')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.%70ython.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/?qs=query#fragment=true")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/#fun=true")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertTrue(urllib.request.urlopen(self.server_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.server_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.environ.clear()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.update(old_environ)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.addCleanup(restore_environ, os.environ.copy())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['NO_PROXY'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with self.opener.open(self.URL) as result:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
result = self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.environ.clear()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.update(old_environ)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.addCleanup(restore_environ, os.environ.copy())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['NO_PROXY'] = '*'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = '*'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, data, **kwargs)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(req):
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(req):
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen("http://localhost:%s" % handler.port) as open_url:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
open_url = urllib.request.urlopen(
"http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
open_url = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
data = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
data = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request, "1".encode("us-ascii"))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request, "1234567890".encode("us-ascii"))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(req_file, 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cert_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','crl.txt'),'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join('cadir','serial'), 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path + '.reference', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_cert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('ssl_key.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert.passwd.pem', 'a+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert2.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert3.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycert4.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('keycertecc.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('allsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('idnsans.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('nosan.pem', 'w') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return wrapped, open(r, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, 'rb') as chan:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(w, 'w', encoding="utf-8") as spipe:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(r, encoding="utf-8") as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as body:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.conn = client.HTTPSConnection(HOST, self.port,
source_address=('', self.source_port))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('www.python.org', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', server.port, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
c = client.HTTPSConnection(hp)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
h = client.HTTPSConnection('localhost', 443, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = os_helper.EnvironmentVarGuard()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.__exit__()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.connection.request(method, uri, body, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.connection = http.client.HTTPSConnection(
self.HOST, self.PORT, context=context
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.connection.request(method, uri, body, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(tempname, 'wb') as temp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fullpath, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(self.tempdir_name, 'index.html'), 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(self.tempdir_name, 'index.html'), 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.tls_password_file, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.served_filename, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.tls_password_file, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with urllib.request.urlopen(req, context=context) as res:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(__file__, 'rb') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/dev/vsock", "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open("/proc/modules", encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, 'wb'):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(filename, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
file = open(os_helper.TESTFN, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, encoding="utf-8") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN) as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'a') as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'a') as log:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(data_file('keycert.pem.reference')) as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(data_file('keycert3.pem.reference')) as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("/etc/os-release", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT, 'r') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_NEURONIO) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CAFILE_CACERT) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, context=context)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os_helper.TESTFN, 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SIGNING_CA) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(SINGED_CERTFILE_ONLY) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with unittest.mock.patch.dict(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, user=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ, group=2**64)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd=os.curdir, env=os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fd, "w", errors="surrogateescape") as fobj:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(os.devnull, "r+") as inout:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(os.devnull, 'wb') as dev_null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.devnull, 'w') as null:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
newenv = os.environ.copy()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os_helper.TESTFN, 'w', encoding='utf-8') as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open(os_helper.TESTFN, 'wb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.returned_obj = urllib.request.urlopen("file:%s" % self.quoted_pathname)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
for k in list(os.environ):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self._saved_env = os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = collections.OrderedDict()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ = self._saved_env
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['No_Proxy'] = 'localhost'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['http_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['HTTP_PROXY'] = 'http://somewhere:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = 'localhost, noproxy.com, my.proxy:1234'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['No_Proxy'] = 'xyz.com'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['http_proxy'] = 'http://somewhere:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['Http_Proxy'] = 'http://somewhereelse:3128'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fp = urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
fp = urllib.request.urlopen(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resp = urllib.request.urlopen("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"http:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"https:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"http:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(f"https:{schemeless_url}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen("http://something")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(tmp_fileurl) as fobj:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(tmp_fileurl)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.text_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.text_url_base64))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.image_url_resp = self.enterContext(urllib.request.urlopen(self.image_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
FILE = open(os_helper.TESTFN, 'wb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
FILE = open(second_temp, 'rb')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with urllib.request.urlopen(file_url) as f:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertEqual(Request(url,
headers={"Spam-eggs": "blah"}
).headers["Spam-eggs"], "blah")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertEqual(Request(url,
headers={"spam-EggS": "blah"}
).headers["Spam-eggs"], "blah")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url, headers={"Spam-eggs": "blah"})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return Request("http://blah/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
f = open(TESTFN, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = open(TESTFN, "wb")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/","badpost")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", data)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/", f, {})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
req = Request("http://example.com/", f, {"Content-Length": 30})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", file_obj, {})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", file_obj, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", proc.stdout, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", iterable_body(), headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = h.do_request_(Request("http://example.com/", ()))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/", iterable_array, headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
r = Request('http://example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
r = Request('http://www.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(weird_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url_without_path)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
fp = urllib.request.urlopen("http://python.org/path")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = opener.open('http://example.com/')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(from_url, method="HEAD")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://acme.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.perl.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("https://www.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("https://www.example.com/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://dummy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://dummy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.get = Request("http://www.python.org/~jeremy/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.post = Request("http://www.python.org/~jeremy/",
"data",
headers={"X-Test": "test"})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.head = Request("http://www.python.org/~jeremy/", method='HEAD')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.%70ython.org/")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/?qs=query#fragment=true")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request("http://www.python.org/#fun=true")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = Request(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.assertTrue(urllib.request.urlopen(self.server_url))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
urllib.request.urlopen(self.server_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.environ.clear()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.update(old_environ)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.addCleanup(restore_environ, os.environ.copy())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['NO_PROXY'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with self.opener.open(self.URL) as result:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
result = self.opener.open(self.URL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os.environ.clear()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.update(old_environ)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.addCleanup(restore_environ, os.environ.copy())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['NO_PROXY'] = '*'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ['no_proxy'] = '*'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f = urllib.request.urlopen(url, data, **kwargs)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(req):
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen(req):
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with urllib.request.urlopen("http://localhost:%s" % handler.port) as open_url:
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
open_url = urllib.request.urlopen(
"http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
open_url = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
data = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
data = urllib.request.urlopen("http://localhost:%s" % handler.port)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request, "1".encode("us-ascii"))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
opener.open(request, "1234567890".encode("us-ascii"))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
os_environ = dict(os.environ.items())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gevent-websocket
python dependencyexpand_more 2 low-confidence finding(s)
long_description=open("README.rst").read(),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
license=open('LICENSE').read(),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
groq
python dependencyexpand_more 18 low-confidence finding(s)
return await self._client.request(self._page_cls, self._options)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
api_key = os.environ.get("GROQ_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("GROQ_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("GROQ_CUSTOM_HEADERS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("GROQ_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("GROQ_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("GROQ_CUSTOM_HEADERS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return pathlib.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, await path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await anyio.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get("GROQ_LOG")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = data.read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = await anyio.Path(data).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
contents = Path(path).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mistletoe
python dependencyexpand_more 4 low-confidence finding(s)
with open(filename, 'r', encoding='utf-8') as fin:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(args[0], 'r', encoding='utf-8') if len(args) == 1 else sys.stdin as infile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.options['output'], 'w', encoding='utf-8') as outfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open('README.md', 'r', encoding='utf-8') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
netlify-py
python dependencyexpand_more 6 low-confidence finding(s)
response = requests.get(
url,
headers=api_headers,
params=api_params
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.post(
url,
headers=api_headers,
json=data
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(os.path.join(root, file_name), 'rb') as current_file_handle:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(full_path, 'rb') as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(os.path.dirname(__file__), 'README.md')) as readme:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version_file = open(filename).read()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ollama
python dependencyexpand_more 12 low-confidence finding(s)
with open('output.png', 'wb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
latest = httpx.get('https://xkcd.com/info.0.json')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
comic = httpx.get(f'https://xkcd.com/{num}/info.0.json')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
raw = httpx.get(comic.json().get('img'))
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
api_key = os.getenv('OLLAMA_API_KEY', None)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url=_parse_host(host or os.getenv('OLLAMA_HOST')),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
r = self._client.request(*args, **kwargs)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(path, 'rb') as r:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, 'rb') as r:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
r = await self._client.request(*args, **kwargs)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return b64encode(self.value.read_bytes() if isinstance(self.value, Path) else self.value).decode()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return b64encode(Path(self.value).read_bytes()).decode()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
openai
python dependencyexpand_more 69 low-confidence finding(s)
with open(filename, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
endpoint = os.environ["AZURE_OPENAI_ENDPOINT"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
deployment_name = os.environ["AZURE_OPENAI_DEPLOYMENT_NAME"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = file.read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_type: _ApiType | None = _t.cast(_ApiType, _os.environ.get("OPENAI_API_TYPE"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_version: str | None = _os.environ.get("OPENAI_API_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_endpoint: str | None = _os.environ.get("AZURE_OPENAI_ENDPOINT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_ad_token: str | None = _os.environ.get("AZURE_OPENAI_AD_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return _os.environ.get("OPENAI_API_KEY") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return azure_endpoint is not None or _os.environ.get("AZURE_OPENAI_API_KEY") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
_os.environ.get("AZURE_OPENAI_AD_TOKEN") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_endpoint = _os.environ.get("AZURE_OPENAI_ENDPOINT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_ad_token = _os.environ.get("AZURE_OPENAI_AD_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_version = _os.environ.get("OPENAI_API_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(
"AZURE_OPENAI_API_KEY"
) is not None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await self._client.request(self._page_cls, self._options)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
api_key = os.environ.get("OPENAI_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
organization = os.environ.get("OPENAI_ORG_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("OPENAI_PROJECT_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("OPENAI_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("OPENAI_CUSTOM_HEADERS") if provider_runtime is None else None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("OPENAI_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
organization = os.environ.get("OPENAI_ORG_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project = os.environ.get("OPENAI_PROJECT_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_url = os.environ.get("OPENAI_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
custom_headers_env = os.environ.get("OPENAI_CUSTOM_HEADERS") if provider_runtime is None else None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return pathlib.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (path.name, await path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await anyio.Path(file).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file, mode="wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ.get("OPENAI_LOG")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = data.read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary = await anyio.Path(data).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
contents = Path(path).read_bytes()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(token_file_path, "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = http_client.get(url, params=params, headers={"Metadata": "true"}, timeout=timeout)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = client.get(url, params=params, headers={"Metadata": "true"}, timeout=timeout)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = http_client.get(url, params=params, headers={"Metadata-Flavor": "Google"}, timeout=timeout)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = client.get(url, params=params, headers={"Metadata-Flavor": "Google"}, timeout=timeout)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = client.post(
self.token_exchange_url,
json={
"grant_type": TOKEN_EXCHANGE_GRANT_TYPE,
"subject_token": subject_token,
"subject_token_type": subject_token_type,
"identity_provider_id": self.workload_identity["identity_provider_id"],
"service_account_id": self.workload_identity["service_account_id"],
},
timeout=10.0,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("AZURE_OPENAI_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_version = os.environ.get("OPENAI_API_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.environ.get("AZURE_OPENAI_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_version = os.environ.get("OPENAI_API_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
configured = region or os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
environment_base_url = os.environ.get("AWS_BEDROCK_BASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
environment_token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
environment_base_url = _normalize_optional_string(os.environ.get("AWS_BEDROCK_BASE_URL"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
and bool(os.environ.get("AWS_BEARER_TOKEN_BEDROCK"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
orjson
python dependencyexpand_more 40 low-confidence finding(s)
data = json.load(open("../encoding/encodings.json", "r"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
indexes = json.load(open("../encoding/indexes.json", "r"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
partially_generated_file = open(path, "r")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
label_file = open("src/lib.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
docfile = open("doc/%s.txt" % name, "r")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
label_test_file = open("src/test_labels_names.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data_file = open("src/data.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
variant_file = open("src/variant.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ffi_file = open("../encoding_c/src/lib.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
single_byte_file = open("src/single_byte.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
static_file = open("../encoding_c/include/encoding_rs_statics.h", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
utf_8_file = open("src/utf_8.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0208_in_file = open("src/test_data/jis0208_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0208_in_ref_file = open("src/test_data/jis0208_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0208_out_file = open("src/test_data/jis0208_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0208_out_ref_file = open("src/test_data/jis0208_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shift_jis_in_file = open("src/test_data/shift_jis_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shift_jis_in_ref_file = open("src/test_data/shift_jis_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shift_jis_out_file = open("src/test_data/shift_jis_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shift_jis_out_ref_file = open("src/test_data/shift_jis_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
iso_2022_jp_in_file = open("src/test_data/iso_2022_jp_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
iso_2022_jp_in_ref_file = open("src/test_data/iso_2022_jp_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
iso_2022_jp_out_file = open("src/test_data/iso_2022_jp_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
iso_2022_jp_out_ref_file = open("src/test_data/iso_2022_jp_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
euc_kr_in_file = open("src/test_data/euc_kr_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
euc_kr_in_ref_file = open("src/test_data/euc_kr_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
euc_kr_out_file = open("src/test_data/euc_kr_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
euc_kr_out_ref_file = open("src/test_data/euc_kr_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gb18030_in_file = open("src/test_data/gb18030_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gb18030_in_ref_file = open("src/test_data/gb18030_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gb18030_out_file = open("src/test_data/gb18030_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gb18030_out_ref_file = open("src/test_data/gb18030_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
big5_in_file = open("src/test_data/big5_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
big5_in_ref_file = open("src/test_data/big5_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
big5_out_file = open("src/test_data/big5_out.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
big5_out_ref_file = open("src/test_data/big5_out_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0212_in_file = open("src/test_data/jis0212_in.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jis0212_in_ref_file = open("src/test_data/jis0212_in_ref.txt", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
codepage_file = open("../codepage/src/lib.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
codepage_test_file = open("../codepage/src/tests.rs", "w")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pdfminer.six
python dependencyexpand_more 28 low-confidence finding(s)
with open(path, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.get("CMAP_PATH", "/usr/share/pdfminer/"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(item.get_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text("\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(f"Page {ltpage.pageid}\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text("\f")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(text)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(text)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(item.get_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.write_text(item.get_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path) as fileinput:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path) as fileinput:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.file_handler: AnyIO = open(filename, *args, **kwargs) # noqa: SIM115
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path) as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as out:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with sys.stdout if args.outfile == "-" else open(args.outfile, "w") as outfp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(outfile, "wb") as outfp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fname, "rb") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
requests
python dependencyexpand_more 8 low-confidence finding(s)
os.environ.get("REQUESTS_CA_BUNDLE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or os.environ.get("CURL_CA_BUNDLE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
netrc_file = os.environ.get("NETRC")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
old_value = os.environ.get(env_name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ[env_name] = value
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
del os.environ[env_name]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ[env_name] = old_value
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.environ.get(key) or os.environ.get(key.upper())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sqlmodel
python dependencyexpand_more 56 low-confidence finding(s)
selected_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = client.get(f"/heroes/{hero_1.id}")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero_in_db = session.get(Hero, hero_1.id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
team = session.get(Team, team_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
db_hero = session.get(Hero, hero_id)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, 1)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hero = session.get(Hero, 9001)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(RELEASE_NOTES_FILE) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(RELEASE_NOTES_FILE, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["DYLD_FALLBACK_LIBRARY_PATH"] = "/opt/homebrew/lib"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = en_index.read_text("utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sponsors = yaml.safe_load(sponsors_data_path.read_text(encoding="utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme_path.write_text(new_content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme_content = readme_path.read_text("utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
subprocess.run(args, env={**os.environ, "LINENUMS": "true"}, check=True)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base_content = file_path.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version_file.write_text(content_format, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = md_file.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
md_file.write_text(new_content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
all_docs_content += md_file.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
template: Template = Template(template_path.read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
current_content = destiny_path.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if current_content != result and os.getenv("CHECK_JINJA"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
destiny_path.write_text(result)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version_file_content = version_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
release_notes_content = release_notes_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version_file.write_text(
update_version_file(version_file_content, version, version_file)
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
release_notes_file.write_text(
update_release_notes(
release_notes_content, version, parsed_release_date, release_notes_file
)
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
typer.echo(get_current_version(version_file.read_text(), version_file))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version = get_current_version(version_file.read_text(), version_file)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
release_notes_file.read_text(), version, release_notes_file
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tiktoken
python dependencyexpand_more 16 low-confidence finding(s)
num_threads = int(os.environ["RAYON_NUM_THREADS"])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
text = path.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
path.write_text(redacted_text)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = requests.get(artifacts_url, headers=headers)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get(download_url, headers=headers, stream=True)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(temp_zip, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(__file__) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(blobpath, "rb", buffering=0) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resp = requests.get(blobpath)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return blobfile.read_bytes(blobpath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "TIKTOKEN_CACHE_DIR" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cache_dir = os.environ["TIKTOKEN_CACHE_DIR"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
elif "DATA_GYM_CACHE_DIR" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cache_dir = os.environ["DATA_GYM_CACHE_DIR"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(cache_path, "rb", buffering=0) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(tmp_filename, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
toml
python dependencyexpand_more 2 low-confidence finding(s)
with open("README.rst") as readme_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with io.open(_getpath(f), encoding='utf-8') as ffile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
urllib3
python dependencyexpand_more 12 low-confidence finding(s)
if "READTHEDOCS" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "/")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await make_response(file_path.read_bytes(), 200, headers)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await make_response(file_path.read_bytes(), 200, headers)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return _DEFAULT_POOL.request(
method,
url,
body=body,
fields=fields,
headers=headers,
preload_content=preload_content,
decode_content=decode_content,
redirect=redirect,
retries=retries,
timeout=timeout,
json=json,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.pool.put(None)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
self.pool.put(conn, block=False)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
conn.request(
method,
url,
body=body,
headers=headers,
chunked=chunked,
preload_content=preload_content,
decode_content=decode_content,
enforce_content_length=enforce_content_length,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
streaming_worker_code = (
files(__package__)
.joinpath("emscripten_fetch_worker.js")
.read_text(encoding="utf-8")
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "SSLKEYLOGFILE" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sslkeylogfile = os.path.expandvars(os.environ.get("SSLKEYLOGFILE"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(key_file) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
xhtml2pdf
python dependencyexpand_more 13 low-confidence finding(s)
urlResponse = request.urlopen(self.uri)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
conn = httplib.HTTPSConnection(server, **httpConfig)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
conn.request("GET", path)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(uri, encoding="utf-8") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(uri, "rb") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.path, "rb") as arch:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(a, encoding="utf-8") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(fsrc, "rb") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(dest, "wb") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(dest, "wb") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fdest = open(dest, "wb") # noqa: SIM115
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(filename, "rb") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(srcFile, encoding="utf-8") as file_handler:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- playwright prod — no sdist (wheels only)
- google-generativeai prod — no sdist (wheels only)