Security: Prevent client-side DoS by adding default timeout to REST client

[rahul-kumar-362]

Target: github.com/coinbase/coinbase-advanced-py (Coinbase Advanced Python SDK)
Vulnerability Type: Denial of Service (DoS)

Description

While using the official Coinbase Advanced Python SDK, a vulnerability exists in how it handles HTTP requests. The SDK uses the popular requests library to make API calls to Coinbase but fails to set a default timeout.

In Python's requests library, if timeout is left as None, the application will wait indefinitely for a response. If the Coinbase API experiences an outage, or if network traffic is interrupted, the developer's entire application will hang permanently, leading to a complete Denial of Service (DoS).

Proof of Concept in the Code

In coinbase/rest/rest_base.py, the timeout argument in the initialization of the RESTClient defaults to None. This variable is then passed directly as timeout=self.timeout to the requests library:

response = self.session.request(
    http_method,
    url,
    params=params,
    json=data,
    headers=headers,
    timeout=self.timeout, # <--- Will be None, causing infinite hang
)

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2