SONARPY-3105 Rule S7618: Explicit Network Call Timeouts in AWS Lambda (#413)

GitOrigin-RevId: c45c595d8266ce1000302f0b48e4036afebab830

Author: Seppli11

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -23,6 +23,7 @@
 import org.sonar.python.checks.cdk.DisabledSNSTopicEncryptionCheck;
 import org.sonar.python.checks.cdk.IamPolicyPublicAccessCheck;
 import org.sonar.python.checks.cdk.IamPrivilegeEscalationCheck;
+import org.sonar.python.checks.cdk.NetworkCallsWithoutTimeoutsInLambdaCheck;
 import org.sonar.python.checks.cdk.PrivilegePolicyCheck;
 import org.sonar.python.checks.cdk.PublicApiIsSecuritySensitiveCheck;
 import org.sonar.python.checks.cdk.PublicNetworkAccessToCloudResourcesCheck;
@@ -380,6 +381,7 @@ public Stream<Class<?>> getChecks() {
       StrongCryptographicKeysCheck.class,
       SklearnCachedPipelineDontAccessTransformersCheck.class,
       MissingHyperParameterCheck.class,
+      NetworkCallsWithoutTimeoutsInLambdaCheck.class,
       SklearnPipelineSpecifyMemoryArgumentCheck.class,
       SklearnPipelineParameterAreCorrectCheck.class,
       SuperfluousCurlyBraceCheck.class,

python-checks/src/main/java/org/sonar/python/checks/cdk/NetworkCallsWithoutTimeoutsInLambdaCheck.java

@@ -0,0 +1,166 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.Optional;
+import java.util.Set;
+import javax.annotation.CheckForNull;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.PythonType;
+import org.sonar.python.checks.utils.AwsLambdaChecksUtils;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7618")
+public class NetworkCallsWithoutTimeoutsInLambdaCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Set an explicit timeout for this network call to prevent hanging executions in Lambda functions.";
+
+  private static final int BOTO3_CLIENT_RESOURCE_CONFIG_NTH_ARGUMENT = 9;
+
+  private static final Set<String> REQUESTS_METHODS = Set.of("get", "post", "put", "delete", "head", "options", "patch",
+      "request");
+
+  private static final Set<String> BOTO3_ENTRY_FUNCTIONS = Set.of(
+      "boto3.client", "boto3.resource",
+      "boto3.session.Session.client", "boto3.session.Session.resource");
+
+  private TypeCheckMap<Object> requestsTypeChecks;
+  private TypeCheckMap<Object> boto3EntryFunctionTypeChecks;
+  private TypeCheckBuilder configConstructorTypeCheck;
+
+  private boolean isLambdaHandlerInThisFile = false;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::initializeTypeCheckMaps);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkNetworkCall);
+  }
+
+  private void initializeTypeCheckMaps(SubscriptionContext ctx) {
+    isLambdaHandlerInThisFile = AwsLambdaChecksUtils.isLambdaHandlerInThisFile(ctx, ctx.syntaxNode());
+
+    requestsTypeChecks = new TypeCheckMap<>();
+
+    Object marker = new Object();
+
+    for (String method : REQUESTS_METHODS) {
+      requestsTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeWithName("requests." + method), marker);
+      requestsTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeWithName("requests.sessions.Session." + method),
+          marker);
+    }
+
+    boto3EntryFunctionTypeChecks = new TypeCheckMap<>();
+    for (String entryFunction : BOTO3_ENTRY_FUNCTIONS) {
+      boto3EntryFunctionTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeWithName(entryFunction), marker);
+    }
+
+    configConstructorTypeCheck = ctx.typeChecker().typeCheckBuilder().isTypeWithName("botocore.config.Config");
+  }
+
+  private void checkNetworkCall(SubscriptionContext ctx) {
+    CallExpression callExpression = (CallExpression) ctx.syntaxNode();
+
+    if (!isLambdaHandlerInThisFile) {
+      return;
+    }
+
+    checkRequestsCall(ctx, callExpression);
+    checkBoto3Call(ctx, callExpression);
+  }
+
+  private void checkRequestsCall(SubscriptionContext ctx, CallExpression callExpression) {
+    var type = callExpression.callee().typeV2();
+    if (requestsTypeChecks.getOptionalForType(type).isPresent()) {
+      checkTimeoutParameter(ctx, callExpression);
+    }
+  }
+
+  private static void checkTimeoutParameter(SubscriptionContext ctx, CallExpression callExpression) {
+    var timeoutArg = CdkUtils.getArgument(ctx, callExpression, "timeout");
+    if (timeoutArg.isEmpty()) {
+      ctx.addIssue(callExpression.callee(), MESSAGE);
+    } else {
+      timeoutArg.get().addIssueIf(CdkPredicate.isNone(), MESSAGE, callExpression);
+    }
+  }
+
+  private void checkBoto3Call(SubscriptionContext ctx, CallExpression callExpression) {
+    var type = callExpression.callee().typeV2();
+
+    if (!isBoto3ClientOrResource(type)) {
+      return;
+    }
+
+    var configArg = getBotocoreConfigArgument(callExpression);
+    if (configArg == null) {
+      ctx.addIssue(callExpression.callee(), MESSAGE);
+    } else {
+      var configConstructor = getConfigArgumentConstructorCallExpr(configArg);
+      // if configConstructor == null, we couldn't figure out what the config argument
+      // is -> no issue raised to prevent FPs
+      if (configConstructor != null && isInvalidConfigConstructorCall(configConstructor)) {
+        ctx.addIssue(callExpression.callee(), MESSAGE);
+      }
+    }
+  }
+
+  private boolean isBoto3ClientOrResource(PythonType type) {
+    return boto3EntryFunctionTypeChecks.getOptionalForType(type).isPresent();
+  }
+
+  @CheckForNull
+  private static RegularArgument getBotocoreConfigArgument(CallExpression callExpression) {
+    return TreeUtils.nthArgumentOrKeyword(BOTO3_CLIENT_RESOURCE_CONFIG_NTH_ARGUMENT, "config",
+        callExpression.arguments());
+  }
+
+  @CheckForNull
+  private static CallExpression getConfigArgumentConstructorCallExpr(RegularArgument arg) {
+    Expression argExpr = arg.expression();
+    if (argExpr instanceof Name argName) {
+      return getSingleAssignedConfigConstructorCallExpr(argName).orElse(null);
+    } else if (argExpr instanceof CallExpression callExpr) {
+      return callExpr;
+    }
+    return null;
+  }
+
+  private static Optional<CallExpression> getSingleAssignedConfigConstructorCallExpr(Name configVarName) {
+    return Expressions.singleAssignedNonNameValue(configVarName)
+        .flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class));
+  }
+
+  private boolean isInvalidConfigConstructorCall(CallExpression callExpression) {
+    return configConstructorTypeCheck.check(callExpression.callee().typeV2()).isTrue()
+        && !hasArgumentWithName(callExpression, "read_timeout")
+        && !hasArgumentWithName(callExpression, "connect_timeout");
+  }
+
+  private static boolean hasArgumentWithName(CallExpression callExpression, String name) {
+    return TreeUtils.argumentByKeyword(name, callExpression.arguments()) != null;
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/utils/AwsLambdaChecksUtils.java

@@ -16,17 +16,40 @@
  */
 package org.sonar.python.checks.utils;
 
+import java.util.ArrayList;
+import java.util.List;
 import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.project.configuration.ProjectConfiguration;
+import org.sonar.plugins.python.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.python.api.tree.FileInput;
 import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.plugins.python.api.types.v2.FunctionType;
 import org.sonar.python.semantic.v2.callgraph.CallGraph;
 import org.sonar.python.semantic.v2.callgraph.CallGraphWalker;
+import org.sonar.python.tree.TreeUtils;
 
 public class AwsLambdaChecksUtils {
 
   private AwsLambdaChecksUtils() {
   }
+
+  public static boolean isLambdaHandlerInThisFile(SubscriptionContext ctx, Tree tree) {
+    FileInput root = null;
+    if(tree instanceof FileInput fileInput) {
+      root = fileInput;
+    } else {
+      root = TreeUtils.firstAncestorOfClass(tree, FileInput.class);
+    }
+
+    var functionDefCollector = new FunctionDefCollector();
+    root.accept(functionDefCollector);
+    List<FunctionDef> functionDefs = functionDefCollector.getFunctionDefs();
+
+    return functionDefs.stream()
+      .anyMatch(functionDef -> isLambdaHandler(ctx, functionDef));
+  }
+
   public static boolean isLambdaHandler(SubscriptionContext ctx, FunctionDef functionDef) {
     return isLambdaHandler(ctx.projectConfiguration(), ctx.callGraph(), functionDef);
   }
@@ -57,4 +80,18 @@ private static boolean isFqnCalledFromLambdaHandler(CallGraph callGraph, Project
       .isUsedFrom(fqn, node -> isLambdaHandlerFqn(projectConfiguration, node.fqn()))
       .isTrue();
   }
+
+  private static class FunctionDefCollector extends BaseTreeVisitor {
+    private final List<FunctionDef> functionDefs = new ArrayList<>();
+
+    @Override
+    public void visitFunctionDef(FunctionDef functionDef) {
+      functionDefs.add(functionDef);
+      super.visitFunctionDef(functionDef);
+    }
+
+    public List<FunctionDef> getFunctionDefs() {
+      return functionDefs;
+    }
+  }
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7618.html

@@ -0,0 +1,79 @@
+<p>This rule raises an issue when network calls in AWS Lambda functions are made without explicit timeout parameters.</p>
+<h2>Why is this an issue?</h2>
+<p>AWS Lambda functions are ephemeral, event-driven compute services that frequently interact with external systems including other AWS services via
+boto3, external APIs through HTTP requests, databases, and message brokers. When these network calls are made without explicit timeout parameters, the
+Lambda function becomes vulnerable to indefinite hanging if the remote service becomes unresponsive due to network issues, service overload, or
+connectivity problems. Unlike traditional server environments where hanging requests might affect only a single user session, Lambda functions that
+hang continue to consume billable compute time until the function’s maximum execution timeout is reached, which can be up to 15 minutes. This creates
+a cascading effect where network reliability issues directly translate to increased operational costs and unpredictable system behavior.</p>
+<h3>What is the potential impact?</h3>
+<p>Hanging executions lead to increased AWS costs due to wasted compute time while waiting for unresponsive services. The lack of explicit timeouts
+causes unpredictable failure behavior, making it difficult to distinguish between functional errors and network stalls, which complicates debugging
+and monitoring. When the Lambda function’s maximum timeout is reached, the execution is abruptly terminated, preventing graceful error handling,
+proper logging, and cleanup operations. In connection pooling scenarios, hanging requests can exhaust available connections, and the unpredictable
+delays can cause cascading failures in upstream services that depend on the Lambda function’s response.</p>
+<h2>How to fix it in requests</h2>
+<p>For HTTP requests using the requests library, always specify the timeout parameter. Use a tuple <code>(connect_timeout, read_timeout)</code> for
+granular control over connection establishment and data reading timeouts. Wrap the call in try-except blocks to handle timeout exceptions gracefully.
+Consider externalizing timeout values through environment variables for easier configuration management.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import requests
+
+def lambda_handler(event, context):
+    response = requests.get('https://api.example.com/data')  # Noncompliant
+    return response.json()
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import requests
+import os
+
+def lambda_handler(event, context):
+    try:
+        timeout = (float(os.environ.get('CONNECT_TIMEOUT', 3)),
+                  float(os.environ.get('READ_TIMEOUT', 10)))
+        response = requests.get('https://api.example.com/data', timeout=timeout)
+        return response.json()
+    except requests.exceptions.Timeout:
+        return {'error': 'Request timed out'}
+</pre>
+<h2>How to fix it in boto3</h2>
+<p>For AWS service calls using boto3, configure timeouts using botocore.config.Config when creating clients. Set both <code>connect_timeout</code> and
+<code>read_timeout</code> parameters to prevent hanging on connection establishment and data reading respectively. Handle botocore timeout exceptions
+appropriately in your error handling logic.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+import boto3
+
+def lambda_handler(event, context):
+    s3 = boto3.client('s3')  # Noncompliant
+    response = s3.get_object(Bucket='my-bucket', Key='my-key')
+    return response['Body'].read()
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import boto3
+from botocore.config import Config
+from botocore.exceptions import ReadTimeoutError, ConnectTimeoutError
+
+def lambda_handler(event, context):
+    try:
+        config = Config(connect_timeout=5, read_timeout=10)
+        s3 = boto3.client('s3', config=config)
+        response = s3.get_object(Bucket='my-bucket', Key='my-key')
+        return response['Body'].read()
+    except (ReadTimeoutError, ConnectTimeoutError):
+        return {'error': 'AWS service call timed out'}
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> requests Documentation - <a href="https://requests.readthedocs.io/en/latest/user/advanced/#timeouts">Timeouts</a> </li>
+  <li> boto3 Documentation - <a href="https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html">Configuration</a> </li>
+  <li> AWS Documentation - <a href="https://aws.amazon.com/builders-library/timeouts-retries-and-backoff-with-jitter/">Timeouts, retries, and backoff
+  with jitter</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7618.json

@@ -0,0 +1,24 @@
+{
+  "title": "Network calls in AWS Lambda functions shouldn\u0027t be made without explicit timeout parameters",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7618",
+  "sqKey": "S7618",
+  "scope": "All",
+  "quickfix": "infeasible",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM",
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "EFFICIENT"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -292,6 +292,7 @@
     "S7519",
     "S7613",
     "S7617",
+    "S7618",
     "S7621",
     "S7622",
     "S7632"

python-checks/src/test/java/org/sonar/python/checks/cdk/NetworkCallsWithoutTimeoutsInLambdaCheckTest.java

@@ -0,0 +1,41 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.List;
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class NetworkCallsWithoutTimeoutsInLambdaCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify(
+      List.of("src/test/resources/checks/networkCallsWithoutTimeoutsInLambda/with_lambda_handler.py"), 
+      new NetworkCallsWithoutTimeoutsInLambdaCheck()
+    );
+  }
+
+  @Test
+  void test_no_lambda_handler() {
+    PythonCheckVerifier.verifyNoIssue(
+      List.of("src/test/resources/checks/networkCallsWithoutTimeoutsInLambda/without_lambda_handler.py"), 
+      new NetworkCallsWithoutTimeoutsInLambdaCheck()
+    );
+  }
+
+}