Skip to content

feat(rules): detect httpx for S113#12174

Merged
charliermarsh merged 1 commit intoastral-sh:mainfrom
mkniewallner:feat/detect-httpx-S113
Jul 3, 2024
Merged

feat(rules): detect httpx for S113#12174
charliermarsh merged 1 commit intoastral-sh:mainfrom
mkniewallner:feat/detect-httpx-S113

Conversation

@mkniewallner
Copy link
Copy Markdown
Contributor

@mkniewallner mkniewallner commented Jul 3, 2024
edited
Loading

Summary

Bandit now also reports B113 on httpx (PyCQA/bandit#1060). This PR implements the same logic, to detect missing or None timeouts for httpx alongside requests.

Test Plan

Snapshot tests.

charliermarsh
charliermarsh approved these changes Jul 3, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@charliermarsh charliermarsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks -- this looks good to me!

@charliermarsh charliermarsh added the rule Implementing or modifying a lint rule label Jul 3, 2024
@mkniewallner mkniewallner marked this pull request as ready for review July 3, 2024 22:45
@charliermarsh charliermarsh merged commit 8210c1e into astral-sh:main Jul 3, 2024
@mkniewallner mkniewallner deleted the feat/detect-httpx-S113 branch July 4, 2024 07:00
@BrewTestBot BrewTestBot mentioned this pull request Jul 5, 2024
Merged
@jyggen
Copy link
Copy Markdown

jyggen commented Jul 5, 2024

Not sure a missing timeout is a problem since httpx uses 5s as default. The rule is about preventing the client from waiting indefinitely, which it never will in the case of httpx and a missing timeout. Setting timeout to None is still problematic though.

@trim21
Copy link
Copy Markdown
Contributor

trim21 commented Jul 6, 2024
edited
Loading

httpx has default timeout, this PR would be a false positive

https://www.python-httpx.org/advanced/timeouts/

HTTPX is careful to enforce timeouts everywhere by default.

The default behavior is to raise a TimeoutException after 5 seconds of network inactivity.

B113: Test for missing requests timeout
This plugin test checks for requests or httpx calls without a timeout specified.

Nearly all production code should use this parameter in nearly all requests, Failure to do so can cause your program to hang indefinitely.

trim21 added a commit to trim21/ruff that referenced this pull request Jul 6, 2024
@trim21
Revert "[flake8-bandit] Detect httpx for S113 (astral-sh#12174)"
57a90f2 
This reverts commit 8210c1e.
@trim21 trim21 mentioned this pull request Jul 6, 2024
Closed
@mkniewallner
Copy link
Copy Markdown
Contributor Author

mkniewallner commented Jul 6, 2024

Not sure a missing timeout is a problem since httpx uses 5s as default. The rule is about preventing the client from waiting indefinitely, which it never will in the case of httpx and a missing timeout. Setting timeout to None is still problematic though.

Indeed, really sorry for missing that obvious information, I should have better checked that.

@trim21
Copy link
Copy Markdown
Contributor

trim21 commented Jul 6, 2024

false positive fix #12213

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliermarsh charliermarsh charliermarsh approved these changes

Assignees

No one assigned

Labels

rule Implementing or modifying a lint rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mkniewallner @jyggen @trim21 @charliermarsh