SONARPY-2932 Rule S7499: Async functions should not contain synchronous http operations (#263)

GitOrigin-RevId: 566679fd06efa9f71ae819e5900d2c23c3d6845f

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -357,6 +357,7 @@ public Stream<Class<?>> getChecks() {
       SklearnPipelineParameterAreCorrectCheck.class,
       SuperfluousCurlyBraceCheck.class,
       TempFileCreationCheck.class,
+      SynchronousHttpOperationsInAsyncCheck.class,
       ImplicitlySkippedTestCheck.class,
       TimeSleepInAsyncCheck.class,
       ToDoCommentCheck.class,

python-checks/src/main/java/org/sonar/python/checks/SynchronousHttpOperationsInAsyncCheck.java

@@ -0,0 +1,86 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+
+package org.sonar.python.checks;
+
+import java.util.Set;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7499")
+public class SynchronousHttpOperationsInAsyncCheck extends PythonSubscriptionCheck {
+  private static final String MESSAGE = "Use an async HTTP client in this async function instead of a synchronous one.";
+  private static final String SECONDARY_MESSAGE = "This function is async.";
+
+  private static final Set<String> IMPORT_PATHS = Set.of(
+    "requests.get",
+    "requests.post",
+    "requests.put",
+    "requests.delete",
+    "requests.head",
+    "requests.options",
+    "requests.patch",
+    "requests.sessions.Session.get",
+    "requests.sessions.Session.post",
+    "requests.sessions.Session.put",
+    "requests.sessions.Session.delete",
+    "requests.sessions.Session.head",
+    "requests.sessions.Session.options",
+    "requests.sessions.Session.patch",
+    "urllib3.PoolManager",
+    "urllib3.PoolManager.request");
+
+  private static final Set<String> IMPORT_PATHS_FQN = Set.of(
+    "httpx.get",
+    "httpx.post",
+    "httpx.put",
+    "httpx.delete",
+    "httpx.head",
+    "httpx.options",
+    "httpx.patch");
+
+  private final TypeCheckMap<Object> syncHttpTypeChecks = new TypeCheckMap<>();
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::setupTypeChecks);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkSyncHttpInAsync);
+  }
+
+  private void setupTypeChecks(SubscriptionContext ctx) {
+    var object = new Object();
+    IMPORT_PATHS.forEach(path -> syncHttpTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName(path), object));
+    IMPORT_PATHS_FQN.forEach(path -> syncHttpTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(path), object));
+  }
+
+  private void checkSyncHttpInAsync(SubscriptionContext ctx) {
+    var callExpression = (CallExpression) ctx.syntaxNode();
+    var asyncToken = TreeUtils.asyncTokenOfEnclosingFunction(callExpression).orElse(null);
+    if (asyncToken == null) {
+      return;
+    }
+
+    syncHttpTypeChecks.getOptionalForType(callExpression.callee().typeV2())
+      .ifPresent(object -> ctx.addIssue(callExpression.callee(), MESSAGE).secondary(asyncToken, SECONDARY_MESSAGE));
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7499.html

@@ -0,0 +1,54 @@
+<p>This rule raises an issue when synchronous HTTP client calls are used within asynchronous functions.</p>
+<h2>Why is this an issue?</h2>
+<p>Using synchronous HTTP clients like <code>urllib3</code>, <code>requests</code>, or <code>httpx.Client</code> in asynchronous code blocks the
+entire event loop. This undermines the primary advantage of asynchronous programming - the ability to perform concurrent operations without blocking
+execution.</p>
+<p>When an async function makes a synchronous HTTP request:</p>
+<ul>
+  <li> The event loop is completely blocked until the HTTP operation completes </li>
+  <li> No other coroutines can run during this time, even if they’re ready to execute </li>
+  <li> The responsiveness of the application is degraded </li>
+  <li> In server applications, this can cause timeouts or failures for other concurrent requests </li>
+</ul>
+<p>Instead, async-compatible HTTP clients should be used:</p>
+<ul>
+  <li> <code>httpx.AsyncClient</code> - works with asyncio, Trio, and AnyIO </li>
+  <li> <code>aiohttp.ClientSession</code> - works with asyncio </li>
+  <li> <code>asks</code> - works with Trio and asyncio </li>
+</ul>
+<p>Using these libraries allows other tasks to continue executing while waiting for HTTP responses, significantly improving application performance
+and responsiveness.</p>
+<h2>How to fix it</h2>
+<p>Replace synchronous HTTP clients with asynchronous alternatives. The <code>httpx.AsyncClient</code> is recommended as it provides a consistent API
+across asyncio, Trio, and AnyIO frameworks.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import requests
+
+async def fetch_data():
+    response = requests.get("https://api.example.com/data")  # Noncompliant
+    return response.json()
+</pre>
+<h4>Compliant solution</h4>
+<p>Using httpx.AsyncClient (works with asyncio, Trio, and AnyIO):</p>
+<pre data-diff-id="1" data-diff-type="compliant">
+import httpx
+
+async def fetch_data():
+    async with httpx.AsyncClient() as client:
+        response = await client.get("https://api.example.com/data")
+        return response.json()
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> HTTPX - <a href="https://www.python-httpx.org/async/">Async Usage</a> </li>
+  <li> AIOHTTP - <a href="https://docs.aiohttp.org/en/stable/client_quickstart.html">Client Quickstart</a> </li>
+  <li> Asks - <a href="https://asks.readthedocs.io/en/latest/">Documentation</a> </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> Python - <a href="https://realpython.com/async-io-python/">Async IO in Python</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7499.json

@@ -0,0 +1,27 @@
+{
+  "title": "Async functions should not contain synchronous HTTP client calls",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "async",
+    "asyncio",
+    "anyio",
+    "trio",
+    "http"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7499",
+  "sqKey": "S7499",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "EFFICIENT"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -254,10 +254,13 @@
     "S6983",
     "S6984",
     "S6985",
+    "S7483",
+    "S7488",
     "S7488",
     "S7491",
     "S7483",
     "S7488",
+    "S7499",
     "S7501"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/SynchronousHttpOperationsInAsyncCheckTest.java

@@ -0,0 +1,30 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class SynchronousHttpOperationsInAsyncCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/synchronousHttpOperationsInAsync.py", new SynchronousHttpOperationsInAsyncCheck());
+  }
+
+}

python-checks/src/test/resources/checks/synchronousHttpOperationsInAsync.py

@@ -0,0 +1,167 @@
+
+
+# Test cases for requests library
+async def test_requests_sync_client():
+    import requests
+
+    response = requests.get("https://example.com")  # Noncompliant
+
+    response = requests.post("https://example.com", data={"key": "value"})  # Noncompliant
+
+    session = requests.Session()
+    response = session.get("https://example.com")  # Noncompliant
+
+    # Methods test
+    requests.delete("https://example.com")  # Noncompliant
+    requests.head("https://example.com")  # Noncompliant
+    requests.options("https://example.com")  # Noncompliant
+    requests.patch("https://example.com")  # Noncompliant
+    requests.put("https://example.com")  # Noncompliant
+
+async def nesting():
+    import requests
+    async def inner_function():
+#   ^^^^^> {{This function is async.}}
+        requests.get("https://example.com")  # Noncompliant {{Use an async HTTP client in this async function instead of a synchronous one.}}
+    #   ^^^^^^^^^^^^
+
+# Test cases for urllib3 library
+async def test_urllib3_sync_client():
+    import urllib3
+
+    http = urllib3.PoolManager() # Noncompliant
+    response = http.request("GET", "https://example.com")  # Noncompliant
+
+    response = http.request_encode_url("GET", "https://example.com")  # FN
+
+    response = http.request_encode_body("POST", "https://example.com", fields={"key": "value"})  # FN
+
+# Test cases for httpx synchronous client
+async def test_httpx_sync_client():
+    import httpx
+
+    response = httpx.get("https://example.com")  # Noncompliant
+
+    client = httpx.Client()
+    response = client.get("https://example.com")  # FN SONARPY-2965
+
+    with httpx.Client() as client:
+        response = client.get("https://example.com")  # FN SONARPY-2965
+
+# Test compliant cases with async HTTP clients
+async def test_compliant_async_clients():
+    # httpx async client
+    import httpx
+
+    async with httpx.AsyncClient() as client:
+        response = await client.get("https://example.com")
+
+    client = httpx.AsyncClient()
+    response = await client.get("https://example.com")
+
+    # aiohttp client
+    import aiohttp
+
+    async with aiohttp.ClientSession() as session:
+        async with session.get("https://example.com") as response:
+            data = await response.text()
+
+    # asks library
+    import asks
+
+    response = await asks.get("https://example.com")
+
+# Test nested async functions
+async def test_nested_async_functions():
+    import requests
+
+    async def inner_function():
+        return requests.get("https://example.com")  # Noncompliant
+
+    result = await inner_function()
+
+# Test functions that use synchronous HTTP clients but are not async themselves
+def test_sync_function_with_sync_client():
+    import requests
+
+    response = requests.get("https://example.com")  # Compliant - not in async function
+
+# Test for method calls on returned objects
+async def test_method_chaining():
+    import requests
+
+    data = requests.get("https://example.com").json()  # Noncompliant
+
+    import urllib3
+    http = urllib3.PoolManager() # Noncompliant
+    data = http.request("GET", "https://example.com").data  # Noncompliant
+
+# Test for assignments to variables and complex expressions
+async def test_complex_assignments():
+    import requests
+
+    # Assignment to variable
+    response = requests.get("https://example.com")  # Noncompliant
+
+    # In a complex expression
+    data = [requests.get(f"https://example.com/{i}").json() for i in range(5)]  # Noncompliant
+
+    # As function argument
+    process_response(requests.get("https://example.com"))  # Noncompliant
+
+# Test for HTTP client in async generators
+async def test_async_generator():
+    import requests
+
+    async def async_generator():
+        for i in range(5):
+            yield requests.get(f"https://example.com/{i}")  # Noncompliant
+
+    async for response in async_generator():
+        print(response.text)
+
+# Test for HTTP clients created outside async function but used inside
+async def test_client_created_outside():
+    import httpx
+    client = httpx.Client()
+
+    response = client.get("https://example.com")  # FN
+
+    # Compliant case with async client
+    async_client = httpx.AsyncClient()
+    response = await async_client.get("https://example.com")
+
+# Test for conditional usage of HTTP clients
+async def test_conditional_usage():
+    import requests
+    import httpx
+
+    use_async = False
+
+    if use_async:
+        async with httpx.AsyncClient() as client:
+            response = await client.get("https://example.com")
+    else:
+        response = requests.get("https://example.com")  # Noncompliant
+
+# Test for try/except blocks
+async def test_try_except():
+    import requests
+
+    try:
+        response = requests.get("https://example.com")  # Noncompliant
+    except Exception:
+        pass
+
+# Edge cases to ensure no false positives
+async def test_edge_cases():
+    # String containing 'requests.get' should not trigger
+    code_string = "response = requests.get('https://example.com')"
+
+    # Variable named 'requests' should not trigger if it's not the actual requests module
+    class MockRequests:
+        def get(self, url):
+            return None
+
+    requests = MockRequests()
+    response = requests.get("https://example.com")  # Should not trigger