diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py index d571a49e..c6439001 100644 --- a/bandit/plugins/request_without_timeout.py +++ b/bandit/plugins/request_without_timeout.py @@ -59,12 +59,7 @@ def request_without_timeout(context): HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS qualname = context.call_function_name_qual.split(".")[0] - if ( - qualname == "requests" - and context.call_function_name in HTTP_VERBS - or qualname == "httpx" - and context.call_function_name in HTTPX_ATTRS - ): + if qualname == "requests" and context.call_function_name in HTTP_VERBS: # check for missing timeout if context.check_call_arg_value("timeout") is None: return bandit.Issue( @@ -73,6 +68,12 @@ def request_without_timeout(context): cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION, text=f"Call to {qualname} without timeout", ) + if ( + qualname == "requests" + and context.call_function_name in HTTP_VERBS + or qualname == "httpx" + and context.call_function_name in HTTPX_ATTRS + ): # check for timeout=None if context.check_call_arg_value("timeout", "None"): return bandit.Issue( diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 7733ebf6..a89c152e 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -368,8 +368,8 @@ def test_requests_ssl_verify_disabled(self): def test_requests_without_timeout(self): """Test for the `requests` library missing timeouts.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 36, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 36, "MEDIUM": 0, "HIGH": 0}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 25, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 25, "MEDIUM": 0, "HIGH": 0}, } self.check_example("requests-missing-timeout.py", expect)