add check for "requests" calls without timeout #743
Conversation
mschfh
requested review from
ericwb,
ghugo,
lukehinds and
sigmavirus24
as code owners
|
Confidence here should be low. Not specifying a timeout will rely on the operating system which tends to have same defaults in properly configured environments (read any production environment). Further many people use libraries that allow for a session level default on top of requests to bypass this exactly. Others wrap requests to specify it for each request by default. |
|
This also won't catch a scenario where the user builds a dictionary dynamically with a timeout value in it and lead to false reports. |
that is a very optimistic assumption for many production environments, default TCP timeouts can be quite high and there may be certain types of environments where those can't be adjusted on a system level (e.g. FaaS)
if that dict is built at runtime it would probably result in a false negative?
Is confidence just related to findings (higher confidence = false positives unlikely) or also the absence of findings (high confidence = false negatives unlikely)? |
The very code you wrote warns with unreasonable confidence if there is no static call argument named class Client:
def __init__(self, default_read_timeout=10.0, default_connect_timeout=5.0) -> :
self.default_read_timeout = default_read_timeout
self.default_connect_timeout = default_connect_timeout
self.session = requests.Session()
@property
def timeout(self) -> tuple[float, float]:
return (self.default_read_timeout, self.default_connect_timeout)
def request(self, method, url, **kwargs) -> requests.Response:
kwargs.setdefault('timeout', self.timeout)
# ... additional logic
return self.session.request(method, url, **kwargs)You're going to tell people, claiming you have high confidence you're correct, that this is insecure code.
It's based on experience at companies with any semblance of real production experience.
Confidence is related to the confidence in the accuracy of the findings. There can be no confidence here given the wide use of requests and the many ways in which it can be used (you're also only looking at the functional API, not session usage) |
|
Thanks for the elaboration, I fully agree and have changed the check to low confidence |
| @@ -0,0 +1,71 @@ | |||
| # -*- coding:utf-8 -*- | |||
There was a problem hiding this comment.
Not necessary unless there are unicode characters in this file.
There was a problem hiding this comment.
should I remove it?
most plugins seem to include the line, even if there are no unicode characters in the file
There was a problem hiding this comment.
Yes please. Recently Black was integrated as a format check. It'll flag this.
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
as mentioned in the requests documentation, not specifying a timeout argument can lead to a process hanging indefinitely, which may lead to a denial of service situation.