Tainted flow: 'url' from os.getenv (line 93, credential/environment) → requests.post (network output)
Critical
- Category
- Data Flow
- Content
parser_config = json.dumps({"lang_detect_enable": False,"backend": "pipeline-high-acc","chunk_type": "general","chunk_num": 256,"parent_chunk_num": 1024,"embed_model": "bge-m3","use_vision": True,"layout": True}) data = {"parser_config": parser_config,"parse": "true","kb_id": kb_id} upload_files = [("files", (os.path.basename(f), open(f, "rb"))) for f in files] r = requests.post(url, headers=HEADERS, data=data, files=upload_files, verify=VERIFY_TLS, timeout=TIMEOUT) print(json.dumps(r.json(), ensure_ascii=False, indent=2)) def catalog_list():- Confidence
- 83% confidence
- Finding
- r = requests.post(url, headers=HEADERS, data=data, files=upload_files, verify=VERIFY_TLS, timeout=TIMEOUT)