From 3d60e0bd830af9d737030b3f4cf2ec985dc33e97 Mon Sep 17 00:00:00 2001
From: Eric Brown <eric_wade_brown@yahoo.com>
Date: Fri, 27 Sep 2024 15:33:57 -0700
Subject: [PATCH] No need to check httpx client without timeout defined

Unlike python-requests, the httpx client has a default
timeout of 5 seconds on its class and functions. As such,
there is no need for Bandit to check for an undefined
timeout. However, explicitly setting the timeout to None
is still a potential problem as that would create a
situtation where the client would block forever.

Fixes: #1175

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
---
 bandit/plugins/request_without_timeout.py | 16 ++++++++++------
 tests/functional/test_functional.py       |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py
index d571a49ea..958c9b45f 100644
--- a/bandit/plugins/request_without_timeout.py
+++ b/bandit/plugins/request_without_timeout.py
@@ -59,12 +59,7 @@ def request_without_timeout(context):
     HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS
     qualname = context.call_function_name_qual.split(".")[0]
 
-    if (
-        qualname == "requests"
-        and context.call_function_name in HTTP_VERBS
-        or qualname == "httpx"
-        and context.call_function_name in HTTPX_ATTRS
-    ):
+    if qualname == "requests" and context.call_function_name in HTTP_VERBS:
         # check for missing timeout
         if context.check_call_arg_value("timeout") is None:
             return bandit.Issue(
@@ -81,3 +76,12 @@ def request_without_timeout(context):
                 cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION,
                 text=f"Call to {qualname} with timeout set to None",
             )
+    if qualname == "httpx" and context.call_function_name in HTTPX_ATTRS:
+        # check for timeout=None
+        if context.check_call_arg_value("timeout", "None"):
+            return bandit.Issue(
+                severity=bandit.MEDIUM,
+                confidence=bandit.LOW,
+                cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION,
+                text=f"Call to {qualname} with timeout set to None",
+            )
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index d8241142b..c37c5fcef 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -411,8 +411,8 @@ def test_requests_ssl_verify_disabled(self):
     def test_requests_without_timeout(self):
         """Test for the `requests` library missing timeouts."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 36, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 36, "MEDIUM": 0, "HIGH": 0},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 25, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 25, "MEDIUM": 0, "HIGH": 0},
         }
         self.check_example("requests-missing-timeout.py", expect)