[B113:request_without_timeout]: False positive issue #1010
Assignees
Labels
bug
Something isn't working
Comments
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Apr 2, 2023
Fixes false postive detecting the usage of the requests module without a timeout. This resolves cases of modules with the word "requests" in the name, but does not match the actual popular third-party module "requests". The fix checks the fully qualified name and ensures index 0 is "requests". Previously, the code was match any module name with "requests" in it. Fixes PyCQA#1010 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Apr 2, 2023
Fixes false postive detecting the usage of the requests module without a timeout. This resolves cases of modules with the word "requests" in the name, but does not match the actual popular third-party module "requests". The fix checks the fully qualified name and ensures index 0 is "requests". Previously, the code was match any module name with "requests" in it. Fixes PyCQA#1010 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
that referenced
this issue
Apr 2, 2023
Fixes false postive detecting the usage of the requests module without a timeout. This resolves cases of modules with the word "requests" in the name, but does not match the actual popular third-party module "requests". The fix checks the fully qualified name and ensures index 0 is "requests". Previously, the code was match any module name with "requests" in it. Fixes #1010 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
|
I'm not sure if this is actually fixed by the linked PR, the code looks like it will still trip on a dictionary called |
|
I still face the same issue. $ bandit -r . -c pyproject.toml
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO using config: pyproject.toml
[main] INFO running on Python 3.11.3
Run started:2023-08-17 05:39:50.211075
Test results:
>> Issue: [B113:request_without_timeout] Requests call without timeout
Severity: Medium Confidence: Low
CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b113_request_without_timeout.html
Location: ./main.py:353:20
352 if (
353 resp := rq_get(
354 url=f"{str(wk_i.api_base_url).rstrip('/')}/v1/users/current/stats/{wk_i.time_range}",
355 headers={
356 "Authorization": f"Basic {encoded_key}",
357 "User-Agent": fake_ua,
358 },
359 timeout=(30.0 * (5 - attempts)),
360 )
361 ).status_code != 200:
--------------------------------------------------
Code scanned:
Total lines of code: 392
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 1
High: 0
Total issues (by confidence):
Undefined: 0
Low: 1
Medium: 0
High: 0
Files skipped (0):
$ bandit --version
bandit 1.7.5
python version = 3.11.3 (main, Jun 5 2023, 09:32:32) [GCC 13.1.1 20230429]
[tool.bandit]
exclude_dirs = [".github", "tests", ".venv", ".vscode"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Getting false positive since I have dict with
requestsas a suffix and I am using.getmethod to get value by key.This results in following false positive:
Reproduction steps
Expected behavior
It should only mark
requestsfrom the actualrequestspackage as an issue. Other cases would be false positives.Bandit version
1.7.5 (Default)
Python version
3.10
Additional context
No response
The text was updated successfully, but these errors were encountered: