Giters

gitpython-developers / GitPython

GitPython is a python library used to interact with Git repositories.

Home Page:http://gitpython.readthedocs.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AWS Codecommit URLs marked as suspisious

multiverseloop opened this issue · comments

commented

I have a terraform module code as below -

module "security_vpc_ap" {
  source = "git::codecommit::us-east-1://test?ref=v1.0.0"
  name = "test-vpc"
  cidr = var.test_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true
  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60
}
.

I am running static code analysis tool checkov which has a dependency of gitpython >=3.1.30

failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it.

Gitpython complains that the codecommit url is not safe. If I manually install gitpython 3.1.29 then the below error doesnt show but it conflicts with checkov dependency

commented

Thanks for reporting. I presume that trying to set allow_unsafe_protocols=True when making the call to GitPython, whichever it is, isn't possible?

It seems you have control over the GitPython dependency, so I'd assume there is control over what's called and how.
The way to solve this issue is to follow the instructions on how to solve it, however, maybe that's not possible here for a reason I'd still like to understand.

A possible course of action would be to explicitly allow codecommit URLs, which might be better than telling folks to not perform any check at all. However, this really depends on the use-case and my feeling is that here it's OK to disable the safety-check.

commented

Same here. I received the warning and I was able to circumvent it with allow_unsafe_protocols=True option.
However, I would like GitPython to accept codecommit repo path like this: codecommit::ap-northeast-2://YOUR-AWS-PROFILE@your-codecommit-repo without the warning. CodeCommit is quite often used git repo URL in AWS related projects. Setting allow_unsafe_protocols=True option raises unnecessary code lint warnings.
For your reference, this is relevant document: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html

commented

I think in order to do this correctly, GitPython would have to respect the configuration, which probably is setup to allow codecommit explicitly.

Special exceptions for codecommit can't be made to not poke a hole into this defence, so users must explicitly allow certain protocols and assure that this will launch the correct helper binary.