Problem
.bandit adds B113 (request_without_timeout) as a global skip with comment:
all 21 instances in test files (not production)
However, this globally silences B113 for ALL code, not just test files. Any future production code using requests.* without a timeout= parameter will pass CI without a warning.
The pre-commit bandit hook correctly excludes test files via pattern:
exclude: (_test\.py|\.e2e_test\.py|\.integration_test\.py|\.performance_test\.py|conftest\.py)$
But .bandit (used by CI) only has exclude_dirs: [tests] — which does not match colocated test files. The global skip was added as a workaround for this structural mismatch.
Discovered During
Code review of PR #2164 (#2128).
Impact
Medium — currently all instances ARE in test files, but the global skip permanently disables detection of missing timeouts in future production code (CWE-400 DoS risk).
Fix Options
- Remove B113 from global skips and add colocated test file exclusion patterns to
.bandit:
exclude_dirs:
- tests
- "*_test.py"
- "*.e2e_test.py"
- "*.integration_test.py"
- "*.performance_test.py"
- "conftest.py"
- Or add per-file
# nosec B113 annotations to the ~21 test callsites
Problem
.banditadds B113 (request_without_timeout) as a global skip with comment:However, this globally silences B113 for ALL code, not just test files. Any future production code using
requests.*without atimeout=parameter will pass CI without a warning.The pre-commit bandit hook correctly excludes test files via pattern:
But
.bandit(used by CI) only hasexclude_dirs: [tests]— which does not match colocated test files. The global skip was added as a workaround for this structural mismatch.Discovered During
Code review of PR #2164 (#2128).
Impact
Medium — currently all instances ARE in test files, but the global skip permanently disables detection of missing timeouts in future production code (CWE-400 DoS risk).
Fix Options
.bandit:# nosec B113annotations to the ~21 test callsites