Synchronous Access of FTP without Timeout
The ftplib.FTP and ftplib.FTP_TLS classes are used to establish FTP
connections for transferring files over the network. These classes, along
with the ftplib.FTP.connect method, do not enforce a timeout by default, which
can lead to indefinite blocking if the FTP server becomes unresponsive or
experiences a network issue. This can cause resource exhaustion, Denial of
Service (DoS), or reduced application responsiveness, especially in production
environments.
This rule ensures that a timeout parameter is provided when creating
instances of ftplib.FTP, ftplib.FTP_TLS, and when calling
ftplib.FTP.connect to prevent the risk of indefinite blocking during FTP
operations.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
import ftplib
ftp_server = ftplib.FTP("ftp.example.com")
Remediation
Always provide a timeout parameter when using ftplib.FTP, ftplib.FTP_TLS,
or ftplib.FTP.connect. This ensures that if the mail server is unreachable
or unresponsive, the connection attempt will fail after a set period,
preventing indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including ftplib.
import ftplib
ftp_server = ftplib.FTP("ftp.example.com", timeout=5)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY045) or
rule category name (no_timeout).
- Using rule ID
- Using category name
import ftplib
# suppress: PY045
ftp_server = ftplib.FTP("ftp.example.com")
import ftplib
# suppress: no_timeout
ftp_server = ftplib.FTP("ftp.example.com")