AWS Codecommit URLs marked as suspisious
multiverseloop opened this issue · comments
I have a terraform module code as below -
module "security_vpc_ap" {
source = "git::codecommit::us-east-1://test?ref=v1.0.0"
name = "test-vpc"
cidr = var.test_cidr
enable_dns_hostnames = true
enable_dns_support = true
# VPC Flow Logs (Cloudwatch log group and IAM role will be created)
enable_flow_log = true
create_flow_log_cloudwatch_log_group = true
create_flow_log_cloudwatch_iam_role = true
flow_log_max_aggregation_interval = 60
}
.
I am running static code analysis tool checkov which has a dependency of gitpython >=3.1.30
failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit::
protocol looks suspicious, use allow_unsafe_protocols=True
to allow it.
Gitpython complains that the codecommit url is not safe. If I manually install gitpython 3.1.29 then the below error doesnt show but it conflicts with checkov dependency
Thanks for reporting. I presume that trying to set allow_unsafe_protocols=True
when making the call to GitPython, whichever it is, isn't possible?
It seems you have control over the GitPython dependency, so I'd assume there is control over what's called and how.
The way to solve this issue is to follow the instructions on how to solve it, however, maybe that's not possible here for a reason I'd still like to understand.
A possible course of action would be to explicitly allow codecommit
URLs, which might be better than telling folks to not perform any check at all. However, this really depends on the use-case and my feeling is that here it's OK to disable the safety-check.
Same here. I received the warning and I was able to circumvent it with allow_unsafe_protocols=True
option.
However, I would like GitPython to accept codecommit repo path like this: codecommit::ap-northeast-2://YOUR-AWS-PROFILE@your-codecommit-repo
without the warning. CodeCommit is quite often used git repo URL in AWS related projects. Setting allow_unsafe_protocols=True
option raises unnecessary code lint warnings.
For your reference, this is relevant document: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html
I think in order to do this correctly, GitPython would have to respect the configuration, which probably is setup to allow codecommit
explicitly.
Special exceptions for codecommit
can't be made to not poke a hole into this defence, so users must explicitly allow certain protocols and assure that this will launch the correct helper binary.