imaplib — no timeout
Synchronous Access of IMAP4 without Timeout
The imaplib.IMAP4 and imaplib.IMAP4_SSL classes are used to connect to
IMAP servers for retrieving emails over the Internet Message Access Protocol
(IMAP). By default, these classes do not specify a timeout, which can result
in the application blocking indefinitely while trying to communicate with an
unresponsive server. This can lead to resource exhaustion, Denial of Service
(DoS), or system instability, particularly in production environments where
resilience is critical.
This rule enforces the use of a timeout parameter when creating instances
of imaplib.IMAP4 and imaplib.IMAP4_SSL to avoid the risk of indefinite
blocking and ensure graceful handling of network delays or failures.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
| imaplib_imap_no_timeout.py | |
|---|---|
Example Output
> precli tests/unit/rules/python/stdlib/imaplib/examples/imaplib_imap_no_timeout.py
⚠️ Warning on line 10 in tests/unit/rules/python/stdlib/imaplib/examples/imaplib_imap_no_timeout.py
PY041: Synchronous Access of Remote Resource without Timeout
The class 'imaplib.IMAP4' is used without a timeout, which may cause the application to block indefinitely if the remote server does not respond.
Remediation
Always provide a timeout parameter when using imaplib.IMAP4 or
imaplib.IMAP4_SSL. This ensures that if the mail server is unreachable or
unresponsive, the connection attempt will fail after a set period, preventing
indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including imaplib.
| imaplib_imap_no_timeout.py | |
|---|---|
Default Configuration
See also
Info
New in version 0.6.7