PYTHON-5931 PYTHON-5935 Fix auth-aws-ecs and kms test failures#2933
PYTHON-5931 PYTHON-5935 Fix auth-aws-ecs and kms test failures#2933blink1073 wants to merge 4 commits into
Conversation
Fixes dependency resolution failure when uv needs git to fetch the mockupdb dependency.
There was a problem hiding this comment.
Pull request overview
Updates the Evergreen ECS-host test setup for MONGODB-AWS authentication by ensuring the test container has the missing git dependency required for the auth-aws-ecs test to run successfully.
Changes:
- Install
gitalongsidebuild-essentialin the ECS test bootstrap script.
|
This is the wrong approach - we need to pass UV_NO_LOCK to the ecs and kms environments, that's what we were missing from #2881 |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Both tests fail because a local-dev-only dependency sync step runs unguarded on remote/ephemeral hosts, forcing resolution of a git-based test dependency that isn't needed there.
| [tool.uv] | ||
| # Only sync the (empty) dev group by default; groups like mockupdb require | ||
| # an explicit --group flag so hosts without git aren't forced to resolve it. | ||
| default-groups = ["dev"] |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
[tool.uv] has no exclude-newer setting, so uv may immediately install freshly published dependency versions. That lets a malicious new release of packages like gevent, simplejson, or ruff reach developer or CI environments right away.
More details about this
[tool.uv] sets default-groups = ["dev"] but does not set exclude-newer, so uv can resolve package versions published moments earlier during installs or syncs. In this project, a developer or CI job running uv sync could pull a just-uploaded release for dependencies such as gevent, coverage, simplejson, typing_extensions, or even tooling like ruff and mypy.
A plausible attack looks like this:
- An attacker compromises a package maintainer account or publishes a malicious dependency version that satisfies one of these version ranges, for example
simplejson>=3.17.0orgevent>=21.12. - They upload the bad release to the package index and wait for this repository to run
uv syncor anotheruvresolution step using this[tool.uv]configuration. - Because
[tool.uv]has noexclude-newer,uvis allowed to select that brand-new version immediately. - The malicious package then runs in the developer or CI environment during install or import, letting the attacker steal tokens, read source code, or alter test/build output.
Without a cooldown in this exact uv config block, the project has no buffer period to avoid freshly published dependency versions that may be malicious or unstable.
To resolve this comment:
✨ Commit fix suggestion
- Add a dependency cooldown to the
[tool.uv]section by insertingexclude-newer = "7 days"alongside the existing settings. - Keep the existing
default-groups = ["dev"]entry as-is, so the section looks like[tool.uv] ... default-groups = ["dev"] ... exclude-newer = "7 days". - Use at least
7 daysfor this value; do not use a smaller number or a different format. This makesuvavoid resolving packages published too recently.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by uv-missing-dependency-cooldown.
🛟 Help? Slack #semgrep-help or go/semgrep-help.
Resolution Options:
- Fix the code
- Reply
/fp $reason(if security gap doesn’t exist) - Reply
/ar $reason(if gap is valid but intentional; add mitigations/monitoring) - Reply
/other $reason(e.g., test-only)
You can view more details about this finding in the Semgrep AppSec Platform.
Replaces the duplicated bash date computation in configure-env.sh, justfile, setup-tests.sh, and run-tests.sh with a single exclude-newer setting, so the cooldown also applies to ad-hoc uv invocations that bypass those wrapper scripts.
The ecs container has no git, so it can't resolve mockupdb's git dependency itself. Generate the lock on the host instead (where git is available) and have the container install from it frozen.
PYTHON-5931 / PYTHON-5935
Changes in this PR
Fixes the auth-aws-ecs and kms (Azure/GCP) Evergreen tests, which were both failing on their remote/ephemeral test hosts.
Test Plan
Verified with a passing Evergreen patch covering all affected tasks (test-auth-aws-ecs, test-gcpkms, test-azurekms, and the auth_oidc remote variants): https://spruce.corp.mongodb.com/patch/6a518b361480fd00075f1a1d
Checklist
Checklist for Author
Checklist for Reviewer