requests-timeout

Try in Playground
python-securitySafetyWarning

0

No tags

CWE-1088

Access to remote resources should always use a timeout and appropriately handle the timeout and recovery. When using requests.get, requests.put, requests.patch, etc. - we should always use a timeout as an argument.

Learn More

  • CWE-1088 - Synchronous Access of Remote Resource without Timeout
  • Python Best Practices: always use a timeout with the requests library

Ast Rule: function call


requests-timeout

How to write a rule
function visit(node) {
  if(!node.arguments || !node.arguments.values || !node.context) {
    return;
  }
  
  const functions = ["post", "get", "put", "patch"];
  
  if (! node.functionName || !functions.includes(node.functionName.value)) {
    return;
  }
  
  const arguments = node.arguments.values;
  const nbArguments = node.arguments.values.length;
  const allPackages = node.context.imports.filter(r => r.packages).flatMap(i => i.packages.map(p => p.name.str));
  const useRequestsPackage = allPackages.filter(i => i === "requests").length > 0;


  const hasTimeout = node.arguments.values.filter(a => a.name && a.name.value == "timeout").length > 0;
  
  functions.forEach(functionName => {
    const importFrom = node.context.imports
    	.filter(r => r.pkg && r.pkg.value === "requests" && r.elements && r.elements.filter(e => e.name).map(e => e.name.value).includes(functionName));
		const useImportFrom = importFrom.length > 0;

    if((useRequestsPackage && !hasTimeout && node.moduleOrObject && node.functionName && node.functionName.value === functionName && node.moduleOrObject.value === "requests")
      || (useImportFrom && node.functionName.value === functionName && !hasTimeout)){
    const error = buildError(node.start.line, node.start.col, node.end.line, node.end.col, "timeout not defined", "CRITICAL", "SAFETY");
    const lineToInsert = arguments[arguments.length - 1].end.line;
    const colToInsert = arguments[arguments.length - 1].end.col;
    const edit = buildEditAdd(lineToInsert, colToInsert, ", timeout=5")
    const fix = buildFix("add timeout argument", [edit]);
    addError(error.addFix(fix));
  }
  });
  
}

test-import-from.py

Expected test result: has error

from requests import get
r = get(w, verify=False)
r = get(w, verify=False, timeout=10)

no-requests-package-used.py

Expected test result: no error

Do not use the requests package: no error raised

r = requests.put(w, verify=False)

requests-put-no-timeout.py

Expected test result: has error

import requests
r = requests.put(w, verify=False)

requests-get-with-timeout.py

Expected test result: no error

All calls to requests.get have a parameter

requests-get-no-timeout.py

Expected test result: has error

Missing timeout parameter in requests.get call

Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.