Tainted flow: 'FACILITATOR' from os.environ.get (line 25, credential/environment) → requests.post (network output)
Critical
- Category
- Data Flow
- Content
if not ph: return False try: r = requests.post(f"{FACILITATOR}/verify", json={"payment": ph, "paymentRequirements": payment_requirements()["accepts"][0]}, timeout=10) return r.status_code == 200 and r.json().get("isValid", False)- Confidence
- 94% confidence
- Finding
- r = requests.post(f"{FACILITATOR}/verify", json={"payment": ph, "paymentRequirements": payment_requirements()["accepts"][0]}, timeout=10)