fix: Fix B113 false positives due to positional params
What
Previously we would report false positives on missing timeouts due to positional parameters masking the timeout in the presence of headers. By introducing an extra ellipsis we can handle the optional params better
Relates to gitlab-org/gitlab#395227 (closed)
Example
Before
root@3eece88d9e8e:/src/python/requests# semgrep --config rule-request_without_timeout.yml
Scanning 1 file.
┌─────────┐
│ Results │
└─────────┘
Findings:
test-request_without_timeout.py
python/requests/rule-request_without_timeout
Requests call without timeout can cause your program to hang indefinitely.
4┆ requests.get('https://gmail.com')
⋮┆----------------------------------------
5┆ requests.get('https://gmail.com', timeout=None)
⋮┆----------------------------------------
7┆ requests.get('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
8┆ requests.get('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
9┆ requests.post('https://gmail.com')
⋮┆----------------------------------------
10┆ requests.post('https://gmail.com', timeout=None)
⋮┆----------------------------------------
12┆ requests.post('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
13┆ requests.post('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
14┆ requests.put('https://gmail.com')
⋮┆----------------------------------------
15┆ requests.put('https://gmail.com', timeout=None)
⋮┆----------------------------------------
17┆ requests.put('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
18┆ requests.put('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
19┆ requests.delete('https://gmail.com')
⋮┆----------------------------------------
20┆ requests.delete('https://gmail.com', timeout=None)
⋮┆----------------------------------------
22┆ requests.delete('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
23┆ requests.delete('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
24┆ requests.patch('https://gmail.com')
⋮┆----------------------------------------
25┆ requests.patch('https://gmail.com', timeout=None)
⋮┆----------------------------------------
27┆ requests.patch('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
28┆ requests.patch('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
29┆ requests.options('https://gmail.com')
⋮┆----------------------------------------
30┆ requests.options('https://gmail.com', timeout=None)
⋮┆----------------------------------------
32┆ requests.options('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
33┆ requests.options('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
⋮┆----------------------------------------
34┆ requests.head('https://gmail.com')
⋮┆----------------------------------------
35┆ requests.head('https://gmail.com', timeout=None)
⋮┆----------------------------------------
37┆ requests.head('https://gmail.com', timeout=5, headers={'authorization': f'token 8675309'})
⋮┆----------------------------------------
38┆ requests.head('https://gmail.com', headers={'authorization': f'token 8675309'}, timeout=5)
┌──────────────┐
│ Scan Summary │
└──────────────┘
Ran 1 rule on 1 file: 28 findings.
After
root@3eece88d9e8e:/src/python/requests# semgrep --config rule-request_without_timeout.yml
Scanning 1 file.
┌─────────┐
│ Results │
└─────────┘
Findings:
test-request_without_timeout.py
python/requests/rule-request_without_timeout
Requests call without timeout can cause your program to hang indefinitely.
4┆ requests.get('https://gmail.com')
⋮┆----------------------------------------
5┆ requests.get('https://gmail.com', timeout=None)
⋮┆----------------------------------------
9┆ requests.post('https://gmail.com')
⋮┆----------------------------------------
10┆ requests.post('https://gmail.com', timeout=None)
⋮┆----------------------------------------
14┆ requests.put('https://gmail.com')
⋮┆----------------------------------------
15┆ requests.put('https://gmail.com', timeout=None)
⋮┆----------------------------------------
19┆ requests.delete('https://gmail.com')
⋮┆----------------------------------------
20┆ requests.delete('https://gmail.com', timeout=None)
⋮┆----------------------------------------
24┆ requests.patch('https://gmail.com')
⋮┆----------------------------------------
25┆ requests.patch('https://gmail.com', timeout=None)
⋮┆----------------------------------------
29┆ requests.options('https://gmail.com')
⋮┆----------------------------------------
30┆ requests.options('https://gmail.com', timeout=None)
⋮┆----------------------------------------
34┆ requests.head('https://gmail.com')
⋮┆----------------------------------------
35┆ requests.head('https://gmail.com', timeout=None)
┌──────────────┐
│ Scan Summary │
└──────────────┘
Ran 1 rule on 1 file: 14 findings.
Edited by Lucas Charles