Synchronous Access of NNTP without Timeout
The nntplib.NNTP and nntplib.NNTP_SSL classes are used to connect to
Network News Transfer Protocol (NNTP) servers for accessing Usenet articles.
These classes establish network connections with NNTP servers, and by
default, they do not enforce a timeout on these connections. Without a
timeout, the application may block indefinitely if the NNTP server is slow
or unresponsive, leading to resource exhaustion, Denial of Service (DoS), or
reduced application responsiveness.
This rule ensures that a timeout parameter is provided when creating
instances of nntplib.NNTP or nntplib.NNTP_SSL to prevent the risk of
indefinite blocking.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
import nntplib
import ssl
nntp = nntplib.NNTP("nntp.example.com")
nntp.starttls(ssl.create_default_context())
Remediation
Always provide a timeout parameter when using nntplib.NNTP or
nntplib.NNTP_SSL. This ensures that if the mail server is unreachable or
unresponsive, the connection attempt will fail after a set period, preventing
indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including nntplib.
import nntplib
import ssl
nntp = nntplib.NNTP("nntp.example.com", timeout=5)
nntp.starttls(ssl.create_default_context())
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY042) or
rule category name (no_timeout).
- Using rule ID
- Using category name
import nntplib
import ssl
# suppress: PY042
nntp = nntplib.NNTP("nntp.example.com")
nntp.starttls(ssl.create_default_context())
import nntplib
import ssl
# suppress: no_timeout
nntp = nntplib.NNTP("nntp.example.com")
nntp.starttls(ssl.create_default_context())