@aikidosec/safe-chain 0.0.1-custom-install-dir

package/src/registryProxy/certBundle.js

@@ -0,0 +1,203 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+// @ts-ignore - certifi has no type definitions
+import certifi from "certifi";
+import tls from "node:tls";
+import { X509Certificate } from "node:crypto";
+import { getCaCertPath } from "./certUtils.js";
+import { ui } from "../environment/userInteraction.js";
+
+/** @type {string | null} */
+let bundlePath = null;
+
+/**
+ * Check if a PEM string contains only parsable cert blocks.
+ * @param {string} pem - PEM-encoded certificate string
+ * @returns {boolean}
+ */
+function isParsable(pem) {
+  if (!pem || typeof pem !== "string") return false;
+  pem = normalizeLineEndings(pem);
+  const begin = "-----BEGIN CERTIFICATE-----";
+  const end = "-----END CERTIFICATE-----";
+  const blocks = [];
+
+  let idx = 0;
+  while (idx < pem.length) {
+    const start = pem.indexOf(begin, idx);
+    if (start === -1) break;
+    const stop = pem.indexOf(end, start + begin.length);
+    if (stop === -1) break;
+    const blockEnd = stop + end.length;
+    blocks.push(pem.slice(start, blockEnd));
+    idx = blockEnd;
+  }
+
+  if (blocks.length === 0) return false;
+  try {
+    for (const b of blocks) {
+      // throw if invalid
+      new X509Certificate(b);
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Build a combined CA bundle.
+ * Automatically includes:
+ * - Safe Chain CA (for MITM of known registries)
+ * - Mozilla roots via certifi (for public HTTPS)
+ * - Node's built-in root certificates (fallback)
+ * - User's custom certificates (if NODE_EXTRA_CA_CERTS environment variable is set)
+ * 
+ * @returns {string} Path to the combined CA bundle PEM file
+ */
+export function getCombinedCaBundlePath() {
+  if (bundlePath)
+  {
+    return bundlePath;
+  }
+
+  const parts = [];
+
+  // 1) Safe Chain CA (for MITM'd registries)
+  const safeChainPath = getCaCertPath();
+  try {
+    const safeChainPem = fs.readFileSync(safeChainPath, "utf8");
+    if (isParsable(safeChainPem)) parts.push(safeChainPem.trim());
+  } catch {
+    // Ignore if Safe Chain CA is not available
+  }
+
+  // 2) certifi (Mozilla CA bundle for all public HTTPS)
+  try {
+    const certifiPem = fs.readFileSync(certifi, "utf8");
+    if (isParsable(certifiPem)) parts.push(certifiPem.trim());
+  } catch {
+    // Ignore if certifi bundle is not available
+  }
+
+  // 3) Node's built-in root certificates
+  try {
+    const nodeRoots = tls.rootCertificates;
+    if (Array.isArray(nodeRoots) && nodeRoots.length) {
+      for (const rootPem of nodeRoots) {
+        if (typeof rootPem !== "string") continue;
+        if (isParsable(rootPem)) parts.push(rootPem.trim());
+      }
+    }
+  } catch {
+    // Ignore if unavailable
+  }
+
+  // 4) User's NODE_EXTRA_CA_CERTS (if set)
+  const userCertPath = process.env.NODE_EXTRA_CA_CERTS;
+  if (userCertPath) {
+    const userPem = readUserCertificateFile(userCertPath);
+    if (userPem) {
+      parts.push(userPem.trim());
+      ui.writeVerbose(`Safe-chain: Merging user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
+    } else {
+      ui.writeWarning(`Safe-chain: Could not read or parse user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
+    }
+  }
+
+  const combined = parts.filter(Boolean).join("\n");
+  bundlePath = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`);
+  fs.writeFileSync(bundlePath, combined, { encoding: "utf8" });
+  return bundlePath;
+}
+
+/**
+ * Remove the generated CA bundle file from disk.
+ */
+export function cleanupCertBundle() {
+  if (bundlePath) {
+    try {
+      fs.unlinkSync(bundlePath);
+    } catch (err) {
+      ui.writeVerbose(`Failed to cleanup the create bundle at ${bundlePath}`, err)
+    }
+    bundlePath = null;
+  }
+}
+
+/**
+ * Normalize path
+ * @param {string} p - Path to normalize
+ * @returns {string}
+ */
+function normalizePathF(p) {
+  return p.replace(/\\/g, "/");
+}
+
+/**
+ * Normalize line endings to LF
+ * @param {string} text - Text with mixed line endings
+ * @returns {string}
+ */
+function normalizeLineEndings(text) {
+  return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+}
+
+/**
+ * Read and validate user certificate file
+ * @param {string} certPath - Path to certificate file
+ * @returns {string | null} Certificate PEM content or null if invalid/unreadable
+ */
+function readUserCertificateFile(certPath) {
+  try {
+    // 1) Basic validation
+    if (typeof certPath !== "string" || certPath.trim().length === 0) {
+      return null;
+    }
+
+    // 2) Reject path traversal attempts (normalize backslashes first for Windows paths)
+    const normalizedPath = normalizePathF(certPath);
+    if (normalizedPath.includes("..")) {
+      return null;
+    }
+
+    // 3) Check if file exists and is not a directory or symlink
+    let stats;
+    try {
+      stats = fs.lstatSync(certPath);
+    } catch {
+      // File doesn't exist or can't be accessed
+      return null;
+    }
+
+    if (!stats.isFile()) {
+      // Reject directories and symlinks
+      return null;
+    }
+
+    // 4) Read file content
+    let content;
+    try {
+      content = fs.readFileSync(certPath, "utf8");
+    } catch {
+      return null;
+    }
+
+    if (!content || typeof content !== "string") {
+      return null;
+    }
+
+    // 5) Validate PEM format
+    if (!isParsable(content)) {
+      return null;
+    }
+
+    return content;
+  } catch {
+    // Silently fail on any errors
+    return null;
+  }
+}
+
+

package/src/registryProxy/certUtils.js

@@ -0,0 +1,178 @@
+import forge from "node-forge";
+import path from "path";
+import fs from "fs";
+import { getCertsDir } from "../config/safeChainDir.js";
+
+const ca = loadCa();
+
+const certCache = new Map();
+
+/**
+ * @param {forge.pki.PublicKey} publicKey
+ * @returns {string}
+ */
+function createKeyIdentifier(publicKey) {
+  return forge.pki.getPublicKeyFingerprint(publicKey, {
+    encoding: "binary",
+    md: forge.md.sha1.create(),
+  });
+}
+
+export function getCaCertPath() {
+  return path.join(getCertsDir(), "ca-cert.pem");
+}
+
+/**
+ * @param {string} hostname
+ * @returns {{privateKey: string, certificate: string}}
+ */
+export function generateCertForHost(hostname) {
+  let existingCert = certCache.get(hostname);
+  if (existingCert) {
+    return existingCert;
+  }
+
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setHours(cert.validity.notBefore.getHours() + 1);
+
+  const attrs = [{ name: "commonName", value: hostname }];
+  cert.setSubject(attrs);
+  cert.setIssuer(ca.certificate.subject.attributes);
+  const authorityKeyIdentifier = createKeyIdentifier(ca.certificate.publicKey);
+  cert.setExtensions([
+    {
+      name: "subjectAltName",
+      altNames: [
+        {
+          type: 2, // DNS
+          value: hostname,
+        },
+      ],
+    },
+    {
+      name: "keyUsage",
+      digitalSignature: true,
+      keyEncipherment: true,
+    },
+    {
+      /*
+        Extended Key Usage (EKU) serverAuth extension
+
+        Needed for TLS server authentication. This extension indicates the certificate's
+        public key may be used for TLS WWW server authentication.
+        Python virtualenv environments (like pipx-installed Poetry) enforce this strictly
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12
+      */
+      name: "extKeyUsage",
+      serverAuth: true,
+    },
+    {
+      /*
+        Subject Key Identifier (SKI)
+        
+        Needed for Python virtualenv SSL validation and certificate chain building.
+        This extension provides a means of identifying certificates containing a particular public key.
+        Python virtualenv environments require this for proper certificate chain validation.
+        System Python installations may be more lenient.
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
+      */
+      name: "subjectKeyIdentifier",
+      subjectKeyIdentifier: createKeyIdentifier(cert.publicKey),
+    },
+    {
+      /*
+        Authority Key Identifier (AKI)
+        
+        Needed for Python virtualenv SSL validation and certificate path validation.
+        This extension identifies the public key corresponding to the private key used to sign
+        this certificate. It links this certificate to its issuing CA certificate.
+        Without this, Python virtualenv certificate validation might fail (for instance for Poetry)
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
+      */
+      name: "authorityKeyIdentifier",
+      keyIdentifier: authorityKeyIdentifier,
+    },
+  ]);
+  cert.sign(ca.privateKey, forge.md.sha256.create());
+
+  const result = {
+    privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+    certificate: forge.pki.certificateToPem(cert),
+  };
+
+  certCache.set(hostname, result);
+
+  return result;
+}
+
+function loadCa() {
+  const certFolder = getCertsDir();
+  const keyPath = path.join(certFolder, "ca-key.pem");
+  const certPath = path.join(certFolder, "ca-cert.pem");
+
+  if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+    const privateKeyPem = fs.readFileSync(keyPath, "utf8");
+    const certPem = fs.readFileSync(certPath, "utf8");
+    const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);
+    const certificate = forge.pki.certificateFromPem(certPem);
+
+    // Don't return a cert that is valid for less than 1 hour
+    const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000);
+    if (certificate.validity.notAfter > oneHourFromNow) {
+      return { privateKey, certificate };
+    }
+  }
+
+  const { privateKey, certificate } = generateCa();
+  fs.mkdirSync(certFolder, { recursive: true });
+  fs.writeFileSync(keyPath, forge.pki.privateKeyToPem(privateKey));
+  fs.writeFileSync(certPath, forge.pki.certificateToPem(certificate));
+  return { privateKey, certificate };
+}
+
+function generateCa() {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setDate(cert.validity.notBefore.getDate() + 1);
+
+  const attrs = [{ name: "commonName", value: "safe-chain proxy" }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs); // Self-signed: issuer === subject
+  const keyIdentifier = createKeyIdentifier(cert.publicKey);
+  cert.setExtensions([
+    {
+      name: "basicConstraints",
+      cA: true,
+      critical: true, // Marking basicConstraints as critical is required for CA certificates so clients must process it to trust the cert as a CA
+    },
+    {
+      name: "keyUsage",
+      keyCertSign: true,
+      digitalSignature: true,
+      keyEncipherment: true,
+    },
+    {
+      name: "subjectKeyIdentifier",
+      subjectKeyIdentifier: keyIdentifier,
+    },
+    {
+      name: "authorityKeyIdentifier",
+      keyIdentifier,
+    },
+  ]);
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  return {
+    privateKey: keys.privateKey,
+    certificate: cert,
+  };
+}

package/src/registryProxy/getConnectTimeout.js

@@ -0,0 +1,13 @@
+import { isImdsEndpoint } from "./isImdsEndpoint.js";
+
+/**
+ * Returns appropriate connection timeout for a host.
+ * - IMDS endpoints: 3s (fail fast when outside cloud, reduce 5min delay to ~20s)
+ * - Other endpoints: 30s (allow for slow networks while preventing indefinite hangs)
+ */
+export function getConnectTimeout(/** @type {string} */ host) {
+  if (isImdsEndpoint(host)) {
+    return 3000;
+  }
+  return 30000;
+}

package/src/registryProxy/http-utils.js

@@ -0,0 +1,80 @@
+/**
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string} headerName
+ */
+export function getHeaderValueAsString(headers, headerName) {
+  if (!headers) {
+    return undefined;
+  }
+
+  let header = headers[headerName];
+
+  if (Array.isArray(header)) {
+    return header.join(", ");
+  }
+
+  return header;
+}
+
+/**
+ * Returns a copy of headers without the provided header names, matched
+ * either exactly or case-insensitively.
+ *
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string[]} headerNames
+ * @param {{ caseInsensitive?: boolean }} [options]
+ * @returns {NodeJS.Dict<string | string[]> | undefined}
+ */
+export function omitHeaders(headers, headerNames, options = {}) {
+  if (!headers) {
+    return headers;
+  }
+
+  const omittedHeaderNames = new Set(
+    options.caseInsensitive
+      ? headerNames.map((name) => name.toLowerCase())
+      : headerNames
+  );
+  /** @type {NodeJS.Dict<string | string[]>} */
+  const filteredHeaders = {};
+
+  for (const [headerName, value] of Object.entries(headers)) {
+    const comparableHeaderName = options.caseInsensitive
+      ? headerName.toLowerCase()
+      : headerName;
+    if (!omittedHeaderNames.has(comparableHeaderName)) {
+      filteredHeaders[headerName] = value;
+    }
+  }
+
+  return filteredHeaders;
+}
+
+/**
+ * Remove headers that become stale when the response body is modified.
+ *
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {void}
+ */
+export function clearCachingHeaders(headers) {
+  if (!headers) {
+    return;
+  }
+
+  const filteredHeaders = omitHeaders(headers, [
+    "etag",
+    "last-modified",
+    "cache-control",
+    "content-length",
+  ]);
+
+  if (!filteredHeaders) {
+    return;
+  }
+
+  for (const key of Object.keys(headers)) {
+    delete headers[key];
+  }
+
+  Object.assign(headers, filteredHeaders);
+}

package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js

@@ -0,0 +1,25 @@
+import {
+  ECOSYSTEM_JS,
+  ECOSYSTEM_PY,
+  getEcoSystem,
+} from "../../config/settings.js";
+import { npmInterceptorForUrl } from "./npm/npmInterceptor.js";
+import { pipInterceptorForUrl } from "./pip/pipInterceptor.js";
+
+/**
+ * @param {string} url
+ * @returns {import("./interceptorBuilder.js").Interceptor | undefined}
+ */
+export function createInterceptorForUrl(url) {
+  const ecosystem = getEcoSystem();
+
+  if (ecosystem === ECOSYSTEM_JS) {
+    return npmInterceptorForUrl(url);
+  }
+
+  if (ecosystem === ECOSYSTEM_PY) {
+    return pipInterceptorForUrl(url);
+  }
+
+  return undefined;
+}

package/src/registryProxy/interceptors/interceptorBuilder.js

@@ -0,0 +1,179 @@
+import { EventEmitter } from "events";
+
+/**
+ * @typedef {Object} Interceptor
+ * @property {(targetUrl: string) => Promise<RequestInterceptionHandler>} handleRequest
+ * @property {(event: string, listener: (...args: any[]) => void) => Interceptor} on
+ * @property {(event: string, ...args: any[]) => boolean} emit
+ *
+ *
+ * @typedef {Object} RequestInterceptionContext
+ * @property {string} targetUrl
+ * @property {(packageName: string | undefined, version: string | undefined) => void} blockMalware
+ * @property {(packageName: string, version: string, message: string) => void} blockMinimumAgeRequest
+ * @property {(modificationFunc: (headers: NodeJS.Dict<string | string[]>) => NodeJS.Dict<string | string[]>) => void} modifyRequestHeaders
+ * @property {(modificationFunc: (body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer) => void} modifyBody
+ * @property {() => RequestInterceptionHandler} build
+ *
+ *
+ * @typedef {Object} RequestInterceptionHandler
+ * @property {{statusCode: number, message: string} | undefined} blockResponse
+ * @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders
+ * @property {() => boolean} modifiesResponse
+ * @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody
+ *
+ * @typedef {Object} MalwareBlockedEvent
+ * @property {string} packageName
+ * @property {string} version
+ * @property {string} targetUrl
+ * @property {number} timestamp
+ *
+ * @typedef {Object} MinimumAgeRequestBlockedEvent
+ * @property {string} packageName
+ * @property {string} version
+ * @property {string} targetUrl
+ * @property {number} timestamp
+ */
+
+/**
+ * @param {(requestHandlerBuilder: RequestInterceptionContext) => Promise<void>} requestInterceptionFunc
+ * @returns {Interceptor}
+ */
+export function interceptRequests(requestInterceptionFunc) {
+  return buildInterceptor([requestInterceptionFunc]);
+}
+
+/**
+ * @param {Array<(requestHandlerBuilder: RequestInterceptionContext) => Promise<void>>} requestHandlers
+ * @returns {Interceptor}
+ */
+function buildInterceptor(requestHandlers) {
+  const eventEmitter = new EventEmitter();
+
+  return {
+    async handleRequest(targetUrl) {
+      const requestContext = createRequestContext(targetUrl, eventEmitter);
+
+      for (const handler of requestHandlers) {
+        await handler(requestContext);
+      }
+
+      return requestContext.build();
+    },
+    on(event, listener) {
+      eventEmitter.on(event, listener);
+      return this;
+    },
+    emit(event, ...args) {
+      return eventEmitter.emit(event, ...args);
+    },
+  };
+}
+
+/**
+ * @param {string} targetUrl
+ * @param {import('events').EventEmitter} eventEmitter
+ * @returns {RequestInterceptionContext}
+ */
+function createRequestContext(targetUrl, eventEmitter) {
+  /** @type {{statusCode: number, message: string} | undefined}  */
+  let blockResponse = undefined;
+  /** @type {Array<(headers: NodeJS.Dict<string | string[]>) => NodeJS.Dict<string | string[]>>} */
+  let reqheaderModificationFuncs = [];
+  /** @type {Array<(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer>} */
+  let modifyBodyFuncs = [];
+
+  /**
+   * @param {string | undefined} packageName
+   * @param {string | undefined} version
+   */
+  function blockMalwareSetup(packageName, version) {
+    blockResponse = createBlockResponse("Forbidden - blocked by safe-chain");
+
+    // Emit the malwareBlocked event
+    eventEmitter.emit("malwareBlocked", {
+      packageName,
+      version,
+      targetUrl,
+      timestamp: Date.now(),
+    });
+  }
+
+  /**
+   * @param {string} message
+   */
+  function blockMinimumAgeRequestSetup(
+    /** @type {string} */ packageName,
+    /** @type {string} */ version,
+    /** @type {string} */ message
+  ) {
+    blockResponse = createBlockResponse(message);
+    eventEmitter.emit("minimumAgeRequestBlocked", {
+      packageName,
+      version,
+      targetUrl,
+      timestamp: Date.now(),
+    });
+  }
+
+  /**
+   * @param {string} message
+   * @returns {{statusCode: number, message: string}}
+   */
+  function createBlockResponse(message) {
+    return {
+      statusCode: 403,
+      message,
+    };
+  }
+
+  /** @returns {RequestInterceptionHandler} */
+  function build() {
+    /**
+     * @param {NodeJS.Dict<string | string[]> | undefined} headers
+     * @returns {NodeJS.Dict<string | string[]> | undefined}
+     */
+    function modifyRequestHeaders(headers) {
+      if (headers) {
+        for (const func of reqheaderModificationFuncs) {
+          func(headers);
+        }
+      }
+
+      return headers;
+    }
+
+    /**
+     * @param {Buffer} body
+     * @param {NodeJS.Dict<string | string[]> | undefined} headers
+     * @returns {Buffer}
+     */
+    function modifyBody(body, headers) {
+      let modifiedBody = body;
+
+      for (var func of modifyBodyFuncs) {
+        modifiedBody = func(body, headers);
+      }
+
+      return modifiedBody;
+    }
+
+    // These functions are invoked in the proxy, allowing to apply the configured modifications
+    return {
+      blockResponse,
+      modifyRequestHeaders: modifyRequestHeaders,
+      modifiesResponse: () => modifyBodyFuncs.length > 0,
+      modifyBody,
+    };
+  }
+
+  // These functions are used to setup the modifications
+  return {
+    targetUrl,
+    blockMalware: blockMalwareSetup,
+    blockMinimumAgeRequest: blockMinimumAgeRequestSetup,
+    modifyRequestHeaders: (func) => reqheaderModificationFuncs.push(func),
+    modifyBody: (func) => modifyBodyFuncs.push(func),
+    build,
+  };
+}