Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

psf/requests

https://github.com/psf/requests.git · scanned 2026-05-16 15:07 UTC (1 day, 6 hours ago) · 10 languages

54 findings (6 legacy + 48 scanner) 92nd percentile · Python · small (2-20K LoC) Scanner says 90 (lower by 5)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 12 hours ago · v1 · 54 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
91.4
/100
Repobility
92
6 legacy
9-layer
91
77.8% cov · 48 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
{# ── 2026-05-17 R27 #5: score breakdown panel ────────────────────── Surfaces the score_breakdown JSON that's been silently stored on Repository for months. Turns hidden math into a trust signal. #}
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 4 Medium 5 Low 40 Source: Legacy 6 9-layer 48 Crowd 0 Layer: Security 4 Software 25 Api 1 Frontend 1 Cicd 1 Quality 22
Scan summary Repository scanned at 90.5/100 with 77.8% coverage. It contains 848 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 48 findings — concentrated in software (22), quality (22), api (1). Risk profile is low: 0 critical, 0 high, 3 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 54 of 54 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
src/requests/cookies.py:60 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
src/requests/exceptions.py:118 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
src/requests/adapters.py:284 ssrflegacy
high Legacy security injection conf 1.00 [SEC038] HTTP Request Smuggling Risk — TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding and Content-Length both present. Attackers smuggle a second request, stealing other users' responses or bypassing auth. CWE-444. Real CVEs: CVE-2019-16276 (Go net/http), CVE-2020-10719 (Undertow), CVE-2022-24735 (Redis-7), Cloudflare/Akamai/Varnish disclosures.
Don't set Transfer-Encoding manually — let the framework. If you must: 1. Only set ONE of Transfer-Encoding or Content-Length per response. 2. Reject incoming requests with both headers (RFC 7230 §3.3.3 #3). 3. Use a battle-tested HTTP server (nginx, envoy) as front-end; never accept raw…
src/requests/models.py:628 injectionlegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
src/requests/adapters.py:99 cryptolegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in src/requests/auth.py:170
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/requests/auth.py:170 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/requests/__init__.py:14
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs/conf.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/requests/__version__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/requests/certs.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/requests/packages.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `environ_copy` in tests/test_utils.py:967
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_cookie_policy_copy` in tests/test_requests.py:1409
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_copy` in tests/test_structures.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/adapters.py:send, src/requests/adapters.py:send This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/adapters.py:close, src/requests/adapters.py:close This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/adapters.py:get_connection_with_tls_context, src/requests/adapters.py:get_connection This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're s…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/cookies.py:get_type, src/requests/cookies.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/models.py:prepare, src/requests/models.py:prepare This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/utils.py:proxy_bypass_registry, src/requests/utils.py:proxy_bypass This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/sessions.py:send, src/requests/sessions.py:send This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/requests/sessions.py:get_redirect_target, src/requests/sessions.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/cookies.py:cookiejar_from_dict, src/requests/cookies.py:cookiejar_from_dict, src/requests/cookies.py:cookiejar_from_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). C…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/models.py:iter_content, src/requests/models.py:iter_content, src/requests/models.py:iter_content This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document w…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/models.py:iter_lines, src/requests/models.py:iter_lines, src/requests/models.py:iter_lines This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why the…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/structures.py:get, src/requests/structures.py:get, src/requests/structures.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're sepa…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/utils.py:to_key_val_list, src/requests/utils.py:to_key_val_list, src/requests/utils.py:to_key_val_list This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/requests/utils.py:iter_slices, src/requests/utils.py:iter_slices, src/requests/utils.py:iter_slices This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why the…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: add_header
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:89 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: add_unredirected_header
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:95 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: dict_from_cookiejar
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/utils.py:500 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: dict_to_sequence
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/utils.py:149 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: from_key_val_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/utils.py:341 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_401
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:273 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_redirect
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:268 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: has_header
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:83 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_prepared
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/_types.py:42 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: list_domains
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:302 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: list_paths
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:310 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: md5_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:176 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: multiple_domains
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/cookies.py:318 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: parse_list_header
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/utils.py:408 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: sha256_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:192 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: sha512_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:200 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: sha_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/requests/auth.py:184 dead-code
low 9-layer quality complexity conf 1.00 Very large file: tests/test_requests.py (3068 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in docs/conf.py:80
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in src/requests/utils.py:490
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (6 lines) in src/requests/sessions.py:136
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer api coverage conf 1.00 No API endpoints detected
The scanner did not find FastAPI/Flask/Express/NestJS/GraphQL/gRPC routes. If this repo exposes APIs, the framework may be unsupported.
coverage
info 9-layer frontend coverage conf 1.00 No frontend routes/components detected
No React/Vue/Next routes were found. This is fine for backend-only repos.
coverage
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/324cb4d6-5207-4a09-a65f-c1602d164496/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/324cb4d6-5207-4a09-a65f-c1602d164496/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.