No need to check httpx client without timeout defined (#1177)

Unlike python-requests, the httpx client has a default timeout of 5 seconds on its class and functions. As such, there is no need for Bandit to check for an undefined timeout. However, explicitly setting the timeout to None is still a potential problem as that would create a situtation where the client would block forever. Fixes: #1175 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
PyCQA · Oct 14, 2024 · 071386b · 071386b
1 parent 9b4d480
commit 071386b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py
@@ -59,12 +59,7 @@ def request_without_timeout(context):
     HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS
     qualname = context.call_function_name_qual.split(".")[0]
 
-    if (
-        qualname == "requests"
-        and context.call_function_name in HTTP_VERBS
-        or qualname == "httpx"
-        and context.call_function_name in HTTPX_ATTRS
-    ):
+    if qualname == "requests" and context.call_function_name in HTTP_VERBS:
         # check for missing timeout
         if context.check_call_arg_value("timeout") is None:
             return bandit.Issue(
@@ -73,6 +68,12 @@ def request_without_timeout(context):
                 cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION,
                 text=f"Call to {qualname} without timeout",
             )
+    if (
+        qualname == "requests"
+        and context.call_function_name in HTTP_VERBS
+        or qualname == "httpx"
+        and context.call_function_name in HTTPX_ATTRS
+    ):
         # check for timeout=None
         if context.check_call_arg_value("timeout", "None"):
             return bandit.Issue(

diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -368,8 +368,8 @@ def test_requests_ssl_verify_disabled(self):
     def test_requests_without_timeout(self):
         """Test for the `requests` library missing timeouts."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 36, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 36, "MEDIUM": 0, "HIGH": 0},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 25, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 25, "MEDIUM": 0, "HIGH": 0},
         }
         self.check_example("requests-missing-timeout.py", expect)