nntplib — no timeout
Synchronous Access of NNTP without Timeout
The nntplib.NNTP and nntplib.NNTP_SSL classes are used to connect to
Network News Transfer Protocol (NNTP) servers for accessing Usenet articles.
These classes establish network connections with NNTP servers, and by
default, they do not enforce a timeout on these connections. Without a
timeout, the application may block indefinitely if the NNTP server is slow
or unresponsive, leading to resource exhaustion, Denial of Service (DoS), or
reduced application responsiveness.
This rule ensures that a timeout parameter is provided when creating
instances of nntplib.NNTP or nntplib.NNTP_SSL to prevent the risk of
indefinite blocking.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
| nntplib_nntp_no_timeout.py | |
|---|---|
Example Output
> precli tests/unit/rules/python/stdlib/nntplib/examples/nntplib_nntp_no_timeout.py
⚠️ Warning on line 10 in tests/unit/rules/python/stdlib/nntplib/examples/nntplib_nntp_no_timeout.py
PY042: Synchronous Access of Remote Resource without Timeout
The class 'nntplib.NNTP' is used without a timeout, which may cause the application to block indefinitely if the remote server does not respond.
Remediation
Always provide a timeout parameter when using nntplib.NNTP or
nntplib.NNTP_SSL. This ensures that if the mail server is unreachable or
unresponsive, the connection attempt will fail after a set period, preventing
indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including nntplib.
| nntplib_nntp_no_timeout.py | |
|---|---|
Default Configuration
See also
Info
New in version 0.6.7