python.requests.best-practice.use-timeout.use-timeout

Community Favorite
profile photo of semgrepsemgrep
Author
31,905
Download Count*
LGPL Commons Clause
License

Detected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-timeout
    pattern-either:
      - patterns:
          - pattern-not: requests.$W(..., timeout=$N, ...)
          - pattern-not: requests.$W(..., **$KWARGS)
          - pattern-either:
              - pattern: requests.request(...)
              - pattern: requests.get(...)
              - pattern: requests.post(...)
              - pattern: requests.put(...)
              - pattern: requests.delete(...)
              - pattern: requests.head(...)
              - pattern: requests.patch(...)
      - patterns:
          - pattern-inside: |
              $SESSION = requests.Session(...)
              ...
          - pattern-not: |
              $SESSION.$W(..., timeout=$N, ...)
          - pattern-not: |
              $SESSION.$W(..., **$KWARGS)
          - pattern-either:
              - pattern: $SESSION.get(...)
              - pattern: $SESSION.post(...)
              - pattern: $SESSION.put(...)
              - pattern: $SESSION.delete(...)
              - pattern: $SESSION.head(...)
              - pattern: $SESSION.patch(...)
    fix-regex:
      regex: (.*)\)$
      replacement: \1, timeout=30)
    message: Detected a 'requests' call without a timeout set. By default,
      'requests' calls wait until the connection is closed. This means a
      'requests' call without a timeout will hang the program if a response is
      never received. Consider setting a timeout for all 'requests'.
    languages:
      - python
    severity: WARNING
    metadata:
      category: best-practice
      references:
        - https://docs.python-requests.org/en/latest/user/advanced/?highlight=timeout#timeouts
        - https://requests.readthedocs.io/en/latest/user/quickstart/#timeouts
      technology:
        - requests
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

use-timeout.py

import requests

url = "www.github.com"

# ruleid: use-timeout
r = requests.get(url)

# ruleid: use-timeout
r = requests.post(url)

# ok: use-timeout
r = requests.get(url, timeout=50)


def from_import_test1(url):
    from requests import get, post

    # ok: use-timeout
    r = get(url, timeout=3)

    # ruleid: use-timeout
    r = post(url)


def test2():
    """Perform a requests.get and default headers set"""
    headers = {**_get_default_headers(), **headers}
    # ok: use-timeout
    r = requests.get(
        url, headers=headers, params=params, **{"timeout": TIMEOUT, **kwargs}
    )
    return r


def test3():
    session = requests.Session()
    # ruleid: use-timeout
    r = session.get(get_url())

    # ok: use-timeout
    r = session.get(url, timeout=3)