GitPython icon indicating copy to clipboard operation
GitPython copied to clipboard
verified publisher icon gitpython-developers

AWS Codecommit URLs marked as suspisious

Open multiverseloop opened this issue 1 year ago • 3 comments

I have a terraform module code as below -

module "security_vpc_ap" {
  source = "git::codecommit::us-east-1://test?ref=v1.0.0"
  name = "test-vpc"
  cidr = var.test_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true
  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60
}
.

I am running static code analysis tool checkov which has a dependency of gitpython >=3.1.30

failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it.

Gitpython complains that the codecommit url is not safe. If I manually install gitpython 3.1.29 then the below error doesnt show but it conflicts with checkov dependency

multiverseloop avatar Jan 18 '24 12:01 multiverseloop

Thanks for reporting. I presume that trying to set allow_unsafe_protocols=True when making the call to GitPython, whichever it is, isn't possible?

It seems you have control over the GitPython dependency, so I'd assume there is control over what's called and how. The way to solve this issue is to follow the instructions on how to solve it, however, maybe that's not possible here for a reason I'd still like to understand.

A possible course of action would be to explicitly allow codecommit URLs, which might be better than telling folks to not perform any check at all. However, this really depends on the use-case and my feeling is that here it's OK to disable the safety-check.

Byron avatar Jan 18 '24 12:01 Byron

Same here. I received the warning and I was able to circumvent it with allow_unsafe_protocols=True option. However, I would like GitPython to accept codecommit repo path like this: codecommit::ap-northeast-2://YOUR-AWS-PROFILE@your-codecommit-repo without the warning. CodeCommit is quite often used git repo URL in AWS related projects. Setting allow_unsafe_protocols=True option raises unnecessary code lint warnings. For your reference, this is relevant document: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html

byongwu avatar Apr 03 '24 00:04 byongwu

I think in order to do this correctly, GitPython would have to respect the configuration, which probably is setup to allow codecommit explicitly.

Special exceptions for codecommit can't be made to not poke a hole into this defence, so users must explicitly allow certain protocols and assure that this will launch the correct helper binary.

Byron avatar Apr 03 '24 05:04 Byron