From af6b4360a9db0ed194c11562007acfef2baa50d0 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 2 Apr 2023 07:39:56 -0700 Subject: [PATCH] Improper detection of non-requests module (#1011) Fixes false postive detecting the usage of the requests module without a timeout. This resolves cases of modules with the word "requests" in the name, but does not match the actual popular third-party module "requests". The fix checks the fully qualified name and ensures index 0 is "requests". Previously, the code was match any module name with "requests" in it. Fixes #1010 Signed-off-by: Eric Brown --- bandit/plugins/request_without_timeout.py | 7 +++---- examples/requests-missing-timeout.py | 4 ++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py index 9aa80bfa8..a418b6cc0 100644 --- a/bandit/plugins/request_without_timeout.py +++ b/bandit/plugins/request_without_timeout.py @@ -52,10 +52,9 @@ @test.test_id("B113") def request_without_timeout(context): http_verbs = ("get", "options", "head", "post", "put", "patch", "delete") - if ( - "requests" in context.call_function_name_qual - and context.call_function_name in http_verbs - ): + qualname = context.call_function_name_qual.split(".")[0] + + if qualname == "requests" and context.call_function_name in http_verbs: # check for missing timeout if context.check_call_arg_value("timeout") is None: return bandit.Issue( diff --git a/examples/requests-missing-timeout.py b/examples/requests-missing-timeout.py index 75cb5a7ff..38f24440a 100644 --- a/examples/requests-missing-timeout.py +++ b/examples/requests-missing-timeout.py @@ -1,4 +1,5 @@ import requests +import not_requests requests.get('https://gmail.com') requests.get('https://gmail.com', timeout=None) @@ -21,3 +22,6 @@ requests.head('https://gmail.com') requests.head('https://gmail.com', timeout=None) requests.head('https://gmail.com', timeout=5) + +# Okay +not_requests.get('https://gmail.com')