From 071386bcd801114a88cd42f1ef76e34f50f96661 Mon Sep 17 00:00:00 2001
From: Eric Brown <ericwb@users.noreply.github.com>
Date: Mon, 14 Oct 2024 09:20:48 -0700
Subject: [PATCH] No need to check httpx client without timeout defined (#1177)

Unlike python-requests, the httpx client has a default
timeout of 5 seconds on its class and functions. As such,
there is no need for Bandit to check for an undefined
timeout. However, explicitly setting the timeout to None
is still a potential problem as that would create a
situtation where the client would block forever.

Fixes: #1175

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
---
 bandit/plugins/request_without_timeout.py | 13 +++++++------
 tests/functional/test_functional.py       |  4 ++--
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py
index d571a49ea..c6439001b 100644
--- a/bandit/plugins/request_without_timeout.py
+++ b/bandit/plugins/request_without_timeout.py
@@ -59,12 +59,7 @@ def request_without_timeout(context):
     HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS
     qualname = context.call_function_name_qual.split(".")[0]
 
-    if (
-        qualname == "requests"
-        and context.call_function_name in HTTP_VERBS
-        or qualname == "httpx"
-        and context.call_function_name in HTTPX_ATTRS
-    ):
+    if qualname == "requests" and context.call_function_name in HTTP_VERBS:
         # check for missing timeout
         if context.check_call_arg_value("timeout") is None:
             return bandit.Issue(
@@ -73,6 +68,12 @@ def request_without_timeout(context):
                 cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION,
                 text=f"Call to {qualname} without timeout",
             )
+    if (
+        qualname == "requests"
+        and context.call_function_name in HTTP_VERBS
+        or qualname == "httpx"
+        and context.call_function_name in HTTPX_ATTRS
+    ):
         # check for timeout=None
         if context.check_call_arg_value("timeout", "None"):
             return bandit.Issue(
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index 7733ebf64..a89c152e7 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -368,8 +368,8 @@ def test_requests_ssl_verify_disabled(self):
     def test_requests_without_timeout(self):
         """Test for the `requests` library missing timeouts."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 36, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 36, "MEDIUM": 0, "HIGH": 0},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 25, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 25, "MEDIUM": 0, "HIGH": 0},
         }
         self.check_example("requests-missing-timeout.py", expect)