Skip to main content

Synchronous Access of requests without Timeout​

📐 PY532
đŸˇī¸ no_timeout
â„šī¸ CWE-1088
âš ī¸ Warning
🔒 Professional Plan

The requests.get() and similar functions are used to make standard HTTP requests to a web server. By default, this function does not enforce a timeout on the network connection, which means that an application could block indefinitely if the server is unresponsive or experiences a network issue. This can result in resource exhaustion, Denial of Service (DoS), or unresponsive behavior in the application, especially in production environments.

This rule ensures that a timeout parameter is provided when calling requests.get() and similar functions to prevent the risk of indefinite blocking during the HTTP requests.

If no timeout is specified in requests.get(), the application may block indefinitely while waiting for a response from the server. This can lead to resource exhaustion, slow performance, or unresponsive behavior in the application.

Example​

import requests


requests.get("https://localhost")

Remediation​

Always provide a timeout parameter when using requests.get and similar functions. This ensures that if the HTTP server is unreachable or unresponsive, the connection attempt will fail after a set period, preventing indefinite blocking and resource exhaustion.

Alternatively, the global default timeout can be set via socket.setdefaulttimeout(). This is a good option to enforce a consistent timeout for any network library that uses sockets, including requests.

import requests


requests.get("https://localhost", timeout=5)

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY532) or rule category name (no_timeout).

Fix Iconfix
import requests


# suppress: PY532
requests.get("https://localhost")

See also​