Skip to content

Commit

Permalink
Set allow-unverified-downloads in initremote
Browse files Browse the repository at this point in the history
This config setting is meant to protect against downloads from sources
that can potentially be spoofed, e.g. private IP addresses which could
be assigned to different machines on different networks. We know that
this isn't the case for the CDS remote: the target for requests is
always determined by the cdsapi package, which in turn talks to the CDS
service and does TLS verification due to using HTTPS.

This means that we are unaffected by the security issue the setting is
meant to protect against. So there is no need for a user of the CDS
special remote to manually set the option in every repository, we might
as well do it for them.
  • Loading branch information
matrss committed Aug 28, 2024
1 parent 8653448 commit 4d3fe0e
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
16 changes: 15 additions & 1 deletion src/datalad_cds/cds_remote.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,21 @@ class CDSRemote(SpecialRemote):
remove = None

def initremote(self) -> None:
pass
# Setting this here feels a bit rude, but we know that what we download is at
# least verified by a TLS certificate of the CDS, so this security issue doesn't
# affect the CDS special remote.
result = subprocess.run(
[
"git",
"config",
"remote.cds.annex-security-allow-unverified-downloads",
"ACKTHPPT",
],
capture_output=True,
text=True,
)
if result.returncode != 0:
raise RemoteError("unable to set necessary git config")

Check warning on line 31 in src/datalad_cds/cds_remote.py

View check run for this annotation

Codecov / codecov/patch

src/datalad_cds/cds_remote.py#L31

Added line #L31 was not covered by tests

def prepare(self) -> None:
pass
Expand Down
6 changes: 0 additions & 6 deletions tests/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,4 @@ def single_file_dataset(request: SubRequest, empty_dataset: da.Dataset) -> da.Da
lazy=request.param == "lazy",
path="download.grib",
)
if request.param == "lazy":
dataset.configuration(
"set",
[("remote.cds.annex-security-allow-unverified-downloads", "ACKTHPPT")],
scope="local",
)
return dataset

0 comments on commit 4d3fe0e

Please sign in to comment.