ftplib — no timeout
Synchronous Access of FTP without Timeout
The ftplib.FTP and ftplib.FTP_TLS classes are used to establish FTP
connections for transferring files over the network. These classes, along
with the ftplib.FTP.connect method, do not enforce a timeout by default, which
can lead to indefinite blocking if the FTP server becomes unresponsive or
experiences a network issue. This can cause resource exhaustion, Denial of
Service (DoS), or reduced application responsiveness, especially in production
environments.
This rule ensures that a timeout parameter is provided when creating
instances of ftplib.FTP, ftplib.FTP_TLS, and when calling
ftplib.FTP.connect to prevent the risk of indefinite blocking during FTP
operations.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
Example Output
> precli tests/unit/rules/python/stdlib/ftplib/examples/ftplib_ftp_no_timeout.py
⚠️ Warning on line 9 in tests/unit/rules/python/stdlib/ftplib/examples/ftplib_ftp_no_timeout.py
PY045: Synchronous Access of Remote Resource without Timeout
The class 'ftplib.FTP' is used without a timeout, which may cause the application to block indefinitely if the remote server does not respond.
Remediation
Always provide a timeout parameter when using ftplib.FTP, ftplib.FTP_TLS,
or ftplib.FTP.connect. This ensures that if the mail server is unreachable
or unresponsive, the connection attempt will fail after a set period,
preventing indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including ftplib.
Default Configuration
See also
Info
New in version 0.6.7