B113: request_without_timeout

B113: Test for missing requests timeout

This plugin test checks for requests or httpx calls without a timeout specified.

Nearly all production code should use this parameter in nearly all requests, Failure to do so can cause your program to hang indefinitely.

When request methods are used without the timeout parameter set, Bandit will return a MEDIUM severity error.

Example:

>> Issue: [B113:request_without_timeout] Call to requests without timeout
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html
   Location: examples/requests-missing-timeout.py:3:0
2
3   requests.get('https://gmail.com')
4   requests.get('https://gmail.com', timeout=None)

--------------------------------------------------
>> Issue: [B113:request_without_timeout] Call to requests with timeout set to None
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html
   Location: examples/requests-missing-timeout.py:4:0
3   requests.get('https://gmail.com')
4   requests.get('https://gmail.com', timeout=None)
5   requests.get('https://gmail.com', timeout=5)

See also

• https://requests.readthedocs.io/en/latest/user/advanced/#timeouts

Added in version 1.7.5.

Changed in version 1.7.10: Added check for httpx module