Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Codecommit URLs marked as suspisious #1805

Open
multiverseloop opened this issue Jan 18, 2024 · 3 comments
Open

AWS Codecommit URLs marked as suspisious #1805

multiverseloop opened this issue Jan 18, 2024 · 3 comments

Comments

@multiverseloop
Copy link

multiverseloop commented Jan 18, 2024

I have a terraform module code as below -

module "security_vpc_ap" {
  source = "git::codecommit::us-east-1://test?ref=v1.0.0"
  name = "test-vpc"
  cidr = var.test_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true
  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60
}
.

I am running static code analysis tool checkov which has a dependency of gitpython >=3.1.30

failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it.

Gitpython complains that the codecommit url is not safe. If I manually install gitpython 3.1.29 then the below error doesnt show but it conflicts with checkov dependency

@Byron
Copy link
Member

Byron commented Jan 18, 2024

Thanks for reporting. I presume that trying to set allow_unsafe_protocols=True when making the call to GitPython, whichever it is, isn't possible?

It seems you have control over the GitPython dependency, so I'd assume there is control over what's called and how.
The way to solve this issue is to follow the instructions on how to solve it, however, maybe that's not possible here for a reason I'd still like to understand.

A possible course of action would be to explicitly allow codecommit URLs, which might be better than telling folks to not perform any check at all. However, this really depends on the use-case and my feeling is that here it's OK to disable the safety-check.

@byongwu
Copy link

byongwu commented Apr 3, 2024

Same here. I received the warning and I was able to circumvent it with allow_unsafe_protocols=True option.
However, I would like GitPython to accept codecommit repo path like this: codecommit::ap-northeast-2://YOUR-AWS-PROFILE@your-codecommit-repo without the warning. CodeCommit is quite often used git repo URL in AWS related projects. Setting allow_unsafe_protocols=True option raises unnecessary code lint warnings.
For your reference, this is relevant document: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html

@Byron
Copy link
Member

Byron commented Apr 3, 2024

I think in order to do this correctly, GitPython would have to respect the configuration, which probably is setup to allow codecommit explicitly.

Special exceptions for codecommit can't be made to not poke a hole into this defence, so users must explicitly allow certain protocols and assure that this will launch the correct helper binary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants