Potential Vulnerability in requests==2.22.0 #153
Description
Summary
A reachable construct was identified in requests==2.22.0 through my static analysis database. This version has been flagged as vulnerable in PyPI's open-source vulnerability database. The analysis uncovered 1call chain leading to this construct. Below is one example to illustrate the potential vulnerability:
Call Chain Analysis
pull->pull.YoudaoNotePull.pull_dir_by_id_recursively->core.api.YoudaoNoteApi.get_dir_info_by_id->core.api.YoudaoNoteApi.http_get->requests.sessions.Session.get->requests.sessions.Session.request->requests.sessions.Session.send->requests.sessions.SessionRedirectMixin.resolve_redirects->requests.sessions.SessionRedirectMixin.rebuild_proxies
Patch and Code Changes
We suspect that this construct( requests.sessions.SessionRedirectMixin.rebuild_proxies) may be vulnerable because it was modified in a [security-related patch]. This suggests that the original code might have contained a flaw, and it may still be risky to use the affected version (requests==2.22.0) without further investigation.
Note:
This issue was identified through a static analysis of the project at commit [76dd82f].