"Call to httpx without timeout" when httpx has timeout by default #1175
Comments
|
Having the same issue. Interestingly, explicitly specifying the timeout in the client constructor doesn't have any effect either |
|
it seems to only accepts int. float is raising an issue as well, while it's valid according to type hints |
|
This is a current limitation on how Bandit does analysis. It currently doesn't track the flow of data. So if an object is constructed with a timeout in httpx.AsyncClient(), it won't know later that the client instance has a timeout set. Likewise, someone could set the global socket timeout via socket.setdefaulttimeout(), but Bandit would also have no knowledge of that and assume the timeout is unset. There was so discussion on this when the plugin was added. I would argue that most applications don't set global timeout, but they should set it to a reasonable wait time like 5 seconds (or user configurable for the application). The issue raised by Bandit would bring awareness to do that hopefully and then users could skip this test ID. |
|
@ericwb I read the issue and the PR which added To be absolutely clear in case it was misunderstood:
Therefore, there is no need to remind a developer to set timeouts with Please stop alerting |
|
@ubernostrum I might be confusing myself with the PR introducing checks on timeouts for python-requests. Thanks for the link to the httpx docs and clarification. I would agree there is no need to check for an undefined timeout value in parameter. |
Unlike python-requests, the httpx client has a default timeout of 5 seconds on its class and functions. As such, there is no need for Bandit to check for an undefined timeout. However, explicitly setting the timeout to None is still a potential problem as that would create a situtation where the client would block forever. Fixes: PyCQA#1175 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Unlike python-requests, the httpx client has a default timeout of 5 seconds on its class and functions. As such, there is no need for Bandit to check for an undefined timeout. However, explicitly setting the timeout to None is still a potential problem as that would create a situtation where the client would block forever. Fixes: PyCQA#1175 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Unlike python-requests, the httpx client has a default timeout of 5 seconds on its class and functions. As such, there is no need for Bandit to check for an undefined timeout. However, explicitly setting the timeout to None is still a potential problem as that would create a situtation where the client would block forever. Fixes: PyCQA#1175 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Unlike python-requests, the httpx client has a default timeout of 5 seconds on its class and functions. As such, there is no need for Bandit to check for an undefined timeout. However, explicitly setting the timeout to None is still a potential problem as that would create a situtation where the client would block forever. Fixes: PyCQA#1175 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Describe the bug
httpx library implements timeout by default : https://www.python-httpx.org/advanced/timeouts/ and release 1.7.10 introduces B113:request_without_timeout on httpx calls.
IMO, only calls specifying
timeout=Noneshould raise an issue.Reproduction steps
Expected behavior
bandit should not raise an issue in this case.
Bandit version
1.7.10
Python version
3.11
The text was updated successfully, but these errors were encountered: