Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
urllib3.ProxyManager is quite opinionated about the value passed in as the proxy URL, in that it must at least have a scheme. Creating a ProxyManager with a schemeless URL throws an exception:
urllib3.exceptions.ProxySchemeUnknown: Proxy URL had no scheme, should start with http:// or https://
Checkov passes the value of os.environ['https_proxy'] directly into ProxyManager in platform_integration.py so if this value happens to not start with http:// or https://, then checkov crashes out.
I couldn't find anything authoritative on whether ${HTTPS_PROXY} should or shouldn't have a scheme. The best reference I could find was from the curl manual (https://curl.se/docs/manpage.html) which shows the "protocol" part as being optional.
HTTPS_PROXY [protocol://][:port]
Given that it then seems valid for ${HTTPS_PROXY} to contain a bare hostname (or host:port) pair, and it's certainly true in my environment, this patch checks to see if a scheme is present in the env var and then adds in a default if its absent.
Checklist:
[X] My code follows the style guidelines of this project
[X] I have performed a self-review of my own code
[X] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[x] I have added tests that prove my feature, policy, or fix is effective and works
[x] New and existing tests pass locally with my changes
[ ] Any dependent changes have been merged and published in downstream modules
Description
urllib3.ProxyManageris quite opinionated about the value passed in as the proxy URL, in that it must at least have a scheme. Creating aProxyManagerwith a schemeless URL throws an exception:Checkov passes the value of
os.environ['https_proxy']directly intoProxyManagerin platform_integration.py so if this value happens to not start with http:// or https://, then checkov crashes out.I couldn't find anything authoritative on whether
${HTTPS_PROXY}should or shouldn't have a scheme. The best reference I could find was from the curl manual (https://curl.se/docs/manpage.html) which shows the "protocol" part as being optional.Given that it then seems valid for
${HTTPS_PROXY}to contain a bare hostname (or host:port) pair, and it's certainly true in my environment, this patch checks to see if a scheme is present in the env var and then adds in a default if its absent.Checklist: