Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[B113:request_without_timeout]: False positive issue #1010

Closed
Niraj-Kamdar opened this issue Apr 1, 2023 · 2 comments · Fixed by #1011
Closed

[B113:request_without_timeout]: False positive issue #1010

Niraj-Kamdar opened this issue Apr 1, 2023 · 2 comments · Fixed by #1011
Assignees
Labels
bug Something isn't working

Comments

@Niraj-Kamdar
Copy link

Describe the bug

Getting false positive since I have dict with requests as a suffix and I am using .get method to get value by key.

class SomeClass:
    existing_requests: Dict[Uri, Future[UriPackageOrWrapper]]
  
    def some_method():
        ...
        if existing_request := self.existing_requests.get(uri):
            uri_package_or_wrapper = await existing_request
        ...

This results in following false positive:

>> Issue: [B113:request_without_timeout] Requests call without timeout
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b113_request_without_timeout.html
   Location: polywrap_uri_resolvers/resolvers/cache/request_synchronizer_resolver.py:104:31
103	
104	        if existing_request := self.existing_requests.get(uri):
105	            uri_package_or_wrapper = await existing_request

--------------------------------------------------

Reproduction steps

1. Write a simple script where you use dictionary with `requests` as it's suffix and use `get` method on it.
2. Run Bandit on the script and you would get the same false positive

Expected behavior

It should only mark requests from the actual requests package as an issue. Other cases would be false positives.

Bandit version

1.7.5 (Default)

Python version

3.10

Additional context

No response

@Niraj-Kamdar Niraj-Kamdar added the bug Something isn't working label Apr 1, 2023
@ericwb ericwb self-assigned this Apr 2, 2023
ericwb added a commit to ericwb/bandit that referenced this issue Apr 2, 2023
Fixes false postive detecting the usage of the requests module
without a timeout. This resolves cases of modules with the word
"requests" in the name, but does not match the actual popular
third-party module "requests".

The fix checks the fully qualified name and ensures index 0 is
"requests". Previously, the code was match any module name with
"requests" in it.

Fixes PyCQA#1010

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb added a commit to ericwb/bandit that referenced this issue Apr 2, 2023
Fixes false postive detecting the usage of the requests module
without a timeout. This resolves cases of modules with the word
"requests" in the name, but does not match the actual popular
third-party module "requests".

The fix checks the fully qualified name and ensures index 0 is
"requests". Previously, the code was match any module name with
"requests" in it.

Fixes PyCQA#1010

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb added a commit that referenced this issue Apr 2, 2023
Fixes false postive detecting the usage of the requests module
without a timeout. This resolves cases of modules with the word
"requests" in the name, but does not match the actual popular
third-party module "requests".

The fix checks the fully qualified name and ensures index 0 is
"requests". Previously, the code was match any module name with
"requests" in it.

Fixes #1010

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@wRAR
Copy link

wRAR commented Apr 21, 2023

I'm not sure if this is actually fixed by the linked PR, the code looks like it will still trip on a dictionary called requests?

@yozachar
Copy link

I still face the same issue.

$ bandit -r . -c pyproject.toml
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    using config: pyproject.toml
[main]  INFO    running on Python 3.11.3
Run started:2023-08-17 05:39:50.211075

Test results:
>> Issue: [B113:request_without_timeout] Requests call without timeout
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b113_request_without_timeout.html
   Location: ./main.py:353:20
352             if (
353                 resp := rq_get(
354                     url=f"{str(wk_i.api_base_url).rstrip('/')}/v1/users/current/stats/{wk_i.time_range}",
355                     headers={
356                         "Authorization": f"Basic {encoded_key}",
357                         "User-Agent": fake_ua,
358                     },
359                     timeout=(30.0 * (5 - attempts)),
360                 )
361             ).status_code != 200:

--------------------------------------------------

Code scanned:
        Total lines of code: 392
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 1
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 1
                Medium: 0
                High: 0
Files skipped (0):
$ bandit --version             
bandit 1.7.5
  python version = 3.11.3 (main, Jun  5 2023, 09:32:32) [GCC 13.1.1 20230429]

pyproject.toml

[tool.bandit]
exclude_dirs = [".github", "tests", ".venv", ".vscode"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants