@aikidosec/safe-chain 0.0.1-custom-install-dir

package/src/scanning/newPackagesListCache.js

@@ -0,0 +1,126 @@
+import fs from "fs";
+import {
+  fetchNewPackagesList,
+  fetchNewPackagesListVersion,
+} from "../api/aikido.js";
+import {
+  getNewPackagesListPath,
+  getNewPackagesListVersionPath,
+} from "../config/configFile.js";
+import { ui } from "../environment/userInteraction.js";
+import { buildNewPackagesDatabase } from "./newPackagesDatabaseBuilder.js";
+import { warnOnceAboutUnavailableDatabase } from "./newPackagesDatabaseWarnings.js";
+
+/**
+ * @typedef {import("./newPackagesDatabaseBuilder.js").NewPackagesDatabase} NewPackagesDatabase
+ */
+
+// Shared per-process cache to avoid rebuilding the same feed-backed database on each request.
+/** @type {NewPackagesDatabase | null} */
+let cachedNewPackagesDatabase = null;
+
+/**
+ * @returns {Promise<NewPackagesDatabase>}
+ */
+export async function openNewPackagesDatabase() {
+  if (cachedNewPackagesDatabase) {
+    return cachedNewPackagesDatabase;
+  }
+
+  /** @type {import("../api/aikido.js").NewPackageEntry[]} */
+  let newPackagesList;
+
+  try {
+    newPackagesList = await getNewPackagesList();
+  } catch (/** @type {any} */ error) {
+    warnOnceAboutUnavailableDatabase(error);
+    cachedNewPackagesDatabase = { isNewlyReleasedPackage: () => false };
+    return cachedNewPackagesDatabase;
+  }
+
+  cachedNewPackagesDatabase = buildNewPackagesDatabase(newPackagesList);
+  return cachedNewPackagesDatabase;
+}
+
+/**
+ * @returns {Promise<import("../api/aikido.js").NewPackageEntry[]>}
+ */
+async function getNewPackagesList() {
+  const { newPackagesList: cachedList, version: cachedVersion } =
+    readNewPackagesListFromLocalCache();
+
+  try {
+    if (cachedList) {
+      const currentVersion = await fetchNewPackagesListVersion();
+      if (cachedVersion === currentVersion) {
+        return cachedList;
+      }
+    }
+
+    const { newPackagesList, version } = await fetchNewPackagesList();
+
+    if (version) {
+      writeNewPackagesListToLocalCache(newPackagesList, version);
+      return newPackagesList;
+    } else {
+      ui.writeWarning(
+        "The new packages list for direct package download request blocking was downloaded, but could not be cached due to a missing version."
+      );
+      return newPackagesList;
+    }
+  } catch (/** @type {any} */ error) {
+    if (cachedList) {
+      ui.writeWarning(
+        "Failed to fetch the latest new packages list for direct package download request blocking. Using cached version."
+      );
+      return cachedList;
+    }
+    throw error;
+  }
+}
+
+/**
+ * @param {import("../api/aikido.js").NewPackageEntry[]} data
+ * @param {string | number} version
+ *
+ * @returns {void}
+ */
+export function writeNewPackagesListToLocalCache(data, version) {
+  try {
+    const listPath = getNewPackagesListPath();
+    const versionPath = getNewPackagesListVersionPath();
+
+    fs.writeFileSync(listPath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write new packages list to local cache, next time the list will be fetched from the server again."
+    );
+  }
+}
+
+/**
+ * @returns {{newPackagesList: import("../api/aikido.js").NewPackageEntry[] | null, version: string | null}}
+ */
+export function readNewPackagesListFromLocalCache() {
+  try {
+    const listPath = getNewPackagesListPath();
+    if (!fs.existsSync(listPath)) {
+      return { newPackagesList: null, version: null };
+    }
+
+    const data = fs.readFileSync(listPath, "utf8");
+    const newPackagesList = JSON.parse(data);
+    const versionPath = getNewPackagesListVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return { newPackagesList, version };
+  } catch {
+    ui.writeWarning(
+      "Failed to read new packages list from local cache. Continuing without local cache."
+    );
+    return { newPackagesList: null, version: null };
+  }
+}

package/src/scanning/packageNameVariants.js

@@ -0,0 +1,29 @@
+import { ECOSYSTEM_PY } from "../config/settings.js";
+
+/**
+ * Normalises a Python package name per PEP 503: lowercase and collapse any
+ * run of `.`, `_`, or `-` into a single hyphen.
+ * @param {string} packageName
+ * @returns {string}
+ */
+export function normalizePipPackageName(packageName) {
+  return packageName.toLowerCase().replace(/[._-]+/g, "-");
+}
+
+/**
+ * @param {string} packageName
+ * @param {string} ecosystem
+ * @returns {string[]}
+ */
+export function getEquivalentPackageNames(packageName, ecosystem) {
+  if (ecosystem !== ECOSYSTEM_PY) {
+    return [packageName];
+  }
+
+  const pythonSeparatorPattern = /[._-]/g;
+  const hyphenName = packageName.replaceAll(pythonSeparatorPattern, "-");
+  const underscoreName = packageName.replaceAll(pythonSeparatorPattern, "_");
+  const dotName = packageName.replaceAll(pythonSeparatorPattern, ".");
+
+  return [...new Set([packageName, hyphenName, underscoreName, dotName])];
+}

package/src/shell-integration/helpers.js

@@ -0,0 +1,296 @@
+import { spawnSync } from "child_process";
+import * as os from "os";
+import fs from "fs";
+import path from "path";
+import { ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
+import { safeSpawn } from "../utils/safeSpawn.js";
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @typedef {Object} AikidoTool
+ * @property {string} tool
+ * @property {string} aikidoCommand
+ * @property {string} ecoSystem
+ * @property {string} internalPackageManagerName
+ */
+
+/**
+ * @type {AikidoTool[]}
+ */
+export const knownAikidoTools = [
+  {
+    tool: "npm",
+    aikidoCommand: "aikido-npm",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "npm",
+  },
+  {
+    tool: "npx",
+    aikidoCommand: "aikido-npx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "npx",
+  },
+  {
+    tool: "yarn",
+    aikidoCommand: "aikido-yarn",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "yarn",
+  },
+  {
+    tool: "pnpm",
+    aikidoCommand: "aikido-pnpm",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "pnpm",
+  },
+  {
+    tool: "pnpx",
+    aikidoCommand: "aikido-pnpx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "pnpx",
+  },
+  {
+    tool: "bun",
+    aikidoCommand: "aikido-bun",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "bun",
+  },
+  {
+    tool: "bunx",
+    aikidoCommand: "aikido-bunx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "bunx",
+  },
+  {
+    tool: "uv",
+    aikidoCommand: "aikido-uv",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "uv",
+  },
+  {
+    tool: "uvx",
+    aikidoCommand: "aikido-uvx",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "uvx",
+  },
+  {
+    tool: "pip",
+    aikidoCommand: "aikido-pip",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "pip3",
+    aikidoCommand: "aikido-pip3",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "poetry",
+    aikidoCommand: "aikido-poetry",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "poetry",
+  },
+  {
+    tool: "python",
+    aikidoCommand: "aikido-python",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "python3",
+    aikidoCommand: "aikido-python3",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "pipx",
+    aikidoCommand: "aikido-pipx",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pipx",
+  },
+  // When adding a new tool here, also update the documentation for the new tool in the README.md
+];
+
+/**
+ * Returns a formatted string listing all supported package managers.
+ * Example: "npm, npx, yarn, pnpm, and pnpx commands"
+ */
+export function getPackageManagerList() {
+  const tools = knownAikidoTools.map((t) => t.tool);
+  if (tools.length <= 1) {
+    return `${tools[0] || ""} commands`;
+  }
+  if (tools.length === 2) {
+    return `${tools[0]} and ${tools[1]} commands`;
+  }
+  const lastTool = tools.pop();
+  return `${tools.join(", ")}, and ${lastTool} commands`;
+}
+
+/**
+ * @param {string} executableName
+ *
+ * @returns {boolean}
+ */
+export function doesExecutableExistOnSystem(executableName) {
+  if (os.platform() === "win32") {
+    const result = spawnSync("where", [executableName], { stdio: "ignore" });
+    return result.status === 0;
+  } else {
+    const result = spawnSync("which", [executableName], { stdio: "ignore" });
+    return result.status === 0;
+  }
+}
+
+/**
+ * @param {string} filePath
+ * @param {RegExp} pattern
+ * @param {string} [eol]
+ *
+ * @returns {void}
+ */
+export function removeLinesMatchingPattern(filePath, pattern, eol) {
+  if (!fs.existsSync(filePath)) {
+    return;
+  }
+
+  eol = eol || os.EOL;
+
+  const fileContent = fs.readFileSync(filePath, "utf-8");
+  const lines = fileContent.split(/\r?\n|\r|\u2028|\u2029/);
+  const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
+  fs.writeFileSync(filePath, updatedLines.join(eol), "utf-8");
+}
+
+const maxLineLength = 100;
+
+/**
+ * @param {string} line
+ * @param {RegExp} pattern
+ * @returns {boolean}
+ */
+function shouldRemoveLine(line, pattern) {
+  const isPatternMatch = pattern.test(line);
+
+  if (!isPatternMatch) {
+    return false;
+  }
+
+  if (line.length > maxLineLength) {
+    // safe-chain only adds lines shorter than maxLineLength
+    // so if the line is longer, it must be from a different
+    // source and could be dangerous to remove
+    return false;
+  }
+
+  if (
+    line.includes("\n") ||
+    line.includes("\r") ||
+    line.includes("\u2028") ||
+    line.includes("\u2029")
+  ) {
+    // If the line contains newlines, something has gone wrong in splitting
+    // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * @param {string} filePath
+ * @param {string} line
+ * @param {string} [eol]
+ *
+ * @returns {void}
+ */
+export function addLineToFile(filePath, line, eol) {
+  createFileIfNotExists(filePath);
+
+  eol = eol || os.EOL;
+
+  const fileContent = fs.readFileSync(filePath, "utf-8");
+  let updatedContent = fileContent;
+
+  if (!fileContent.endsWith(eol)) {
+    updatedContent += eol;
+  }
+
+  updatedContent += line + eol;
+  fs.writeFileSync(filePath, updatedContent, "utf-8");
+}
+
+/**
+ * @param {string} filePath
+ *
+ * @returns {void}
+ */
+function createFileIfNotExists(filePath) {
+  if (fs.existsSync(filePath)) {
+    return;
+  }
+
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  fs.writeFileSync(filePath, "", "utf-8");
+}
+
+/**
+ * Checks if PowerShell execution policy allows script execution
+ * @param {string} shellExecutableName - The name of the PowerShell executable ("pwsh" or "powershell")
+ * @returns {Promise<{isValid: boolean, policy: string}>} validation result
+ */
+export async function validatePowerShellExecutionPolicy(shellExecutableName) {
+  // Security: Only allow known shell executables
+  const validShells = ["pwsh", "powershell"];
+  if (!validShells.includes(shellExecutableName)) {
+    return { isValid: false, policy: "Unknown" };
+  }
+
+  try {
+    // For Windows PowerShell (5.1), clean PSModulePath to avoid conflicts with PowerShell 7 modules
+    // When safe-chain is invoked from PowerShell 7, it sets its module paths to PSModulePath, causing
+    // Windows PowerShell to try loading incompatible PowerShell 7 modules.
+    // Setting the environment to Windows PowerShell's modules fixes this.
+    let spawnOptions;
+    if (shellExecutableName === "powershell") {
+      const userProfile = process.env.USERPROFILE || "";
+      const cleanPSModulePath = [
+        path.join(userProfile, "Documents", "WindowsPowerShell", "Modules"),
+        "C:\\Program Files\\WindowsPowerShell\\Modules",
+        "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules",
+      ].join(";");
+
+      spawnOptions = {
+        env: {
+          ...process.env,
+          PSModulePath: cleanPSModulePath,
+        },
+      };
+    } else {
+      spawnOptions = {};
+    }
+
+    const commandResult = await safeSpawn(
+      shellExecutableName,
+      ["-Command", "Get-ExecutionPolicy"],
+      spawnOptions,
+    );
+
+    const policy = commandResult.stdout.trim();
+
+    const acceptablePolicies = ["RemoteSigned", "Unrestricted", "Bypass"];
+    return {
+      isValid: acceptablePolicies.includes(policy),
+      policy: policy,
+    };
+  } catch (err) {
+    ui.writeWarning(
+      `An error happened while trying to find the current executionpolicy in powershell: ${err}`,
+    );
+    return { isValid: false, policy: "Unknown" };
+  }
+}

package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+# Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+# This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+# Function to remove shim from PATH (POSIX-compliant)
+remove_shim_from_path() {
+    _safe_chain_phys=$(CDPATH= cd -- "$(dirname -- "$0")" 2>/dev/null && pwd -P)
+    if [ -z "$_safe_chain_phys" ]; then
+        echo "$PATH"
+        return
+    fi
+    _path=$(echo "$PATH" | sed "s|${_safe_chain_phys}:||g")
+    # Also remove via dirname of $0 directly — on macOS /tmp is a symlink to /private/tmp,
+    # so pwd -P resolves to /private/tmp/… but PATH may still contain /tmp/….
+    _dir=$(dirname -- "$0")
+    case "$_dir" in
+        /*) [ "$_dir" != "$_safe_chain_phys" ] && _path=$(echo "$_path" | sed "s|${_dir}:||g") ;;
+    esac
+    echo "$_path"
+}
+
+if command -v safe-chain >/dev/null 2>&1; then
+  # Remove shim directory from PATH when calling {{AIKIDO_COMMAND}} to prevent infinite loops
+  PATH=$(remove_shim_from_path) exec safe-chain {{PACKAGE_MANAGER}} "$@"
+else
+  # safe-chain is not reachable — warn the user so they know protection is inactive
+  printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. {{PACKAGE_MANAGER}} will run without it.\n" >&2
+
+  # Dynamically find original {{PACKAGE_MANAGER}} (excluding this shim directory)
+  original_cmd=$(PATH=$(remove_shim_from_path) command -v {{PACKAGE_MANAGER}})
+  if [ -n "$original_cmd" ]; then
+    exec "$original_cmd" "$@"
+  else
+    echo "Error: Could not find original {{PACKAGE_MANAGER}}" >&2
+    exit 1
+  fi
+fi

package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd

@@ -0,0 +1,25 @@
+@echo off
+REM Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+REM This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+REM Remove shim directory from PATH to prevent infinite loops
+set "SHIM_DIR=%~dp0"
+if "%SHIM_DIR:~-1%"=="\" set "SHIM_DIR=%SHIM_DIR:~0,-1%"
+call set "CLEAN_PATH=%%PATH:%SHIM_DIR%;=%%"
+
+REM Check if aikido command is available with clean PATH
+set "PATH=%CLEAN_PATH%" & where safe-chain >nul 2>&1
+if %errorlevel%==0 (
+    REM Call aikido command with clean PATH
+    set "PATH=%CLEAN_PATH%" & safe-chain {{PACKAGE_MANAGER}} %*
+) else (
+    REM Find the original command with clean PATH
+    for /f "tokens=*" %%i in ('set "PATH=%CLEAN_PATH%" ^& where {{PACKAGE_MANAGER}} 2^>nul') do (
+        "%%i" %*
+        goto :eof
+    )
+    
+    REM If we get here, original command was not found
+    echo Error: Could not find original {{PACKAGE_MANAGER}} >&2
+    exit /b 1
+)

package/src/shell-integration/setup-ci.js

@@ -0,0 +1,152 @@
+import chalk from "chalk";
+import { ui } from "../environment/userInteraction.js";
+import { getPackageManagerList, knownAikidoTools } from "./helpers.js";
+import {
+  getShimsDir,
+  getBinDir,
+  getPathWrapperTemplatePath,
+} from "../config/safeChainDir.js";
+import fs from "fs";
+import os from "os";
+import path from "path";
+
+/**
+ * Loops over the detected shells and calls the setup function for each.
+ */
+export async function setupCi() {
+  ui.writeInformation(
+    chalk.bold("Setting up shell aliases.") +
+      ` This will wrap safe-chain around ${getPackageManagerList()}.`
+  );
+  ui.emptyLine();
+
+  const shimsDir = getShimsDir();
+  const binDir = getBinDir();
+  // Create the shims directory if it doesn't exist
+  if (!fs.existsSync(shimsDir)) {
+    fs.mkdirSync(shimsDir, { recursive: true });
+  }
+
+  createShims(shimsDir);
+  ui.writeInformation(`Created shims in ${shimsDir}`);
+  modifyPathForCi(shimsDir, binDir);
+  ui.writeInformation(`Added shims directory to PATH for CI environments.`);
+}
+
+/**
+ * @param {string} shimsDir
+ *
+ * @returns {void}
+ */
+function createUnixShims(shimsDir) {
+  // Read the template file
+  const templatePath = getPathWrapperTemplatePath(import.meta.url, "unix-wrapper.template.sh");
+
+  if (!fs.existsSync(templatePath)) {
+    ui.writeError(`Template file not found: ${templatePath}`);
+    return;
+  }
+
+  const template = fs.readFileSync(templatePath, "utf-8");
+
+  // Create a shim for each tool
+  let created = 0;
+  for (const toolInfo of getToolsToSetup()) {
+    const shimContent = template
+      .replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
+      .replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
+
+    const shimPath = path.join(shimsDir, toolInfo.tool);
+    fs.writeFileSync(shimPath, shimContent, "utf-8");
+
+    // Make the shim executable on Unix systems
+    fs.chmodSync(shimPath, 0o755);
+    created++;
+  }
+
+  ui.writeInformation(`Created ${created} Unix shim(s) in ${shimsDir}`);
+}
+
+/**
+ * @param {string} shimsDir
+ *
+ * @returns {void}
+ */
+function createWindowsShims(shimsDir) {
+  // Read the template file
+  const templatePath = getPathWrapperTemplatePath(import.meta.url, "windows-wrapper.template.cmd");
+
+  if (!fs.existsSync(templatePath)) {
+    ui.writeError(`Windows template file not found: ${templatePath}`);
+    return;
+  }
+
+  const template = fs.readFileSync(templatePath, "utf-8");
+
+  // Create a shim for each tool
+  let created = 0;
+  for (const toolInfo of getToolsToSetup()) {
+    const shimContent = template
+      .replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
+      .replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
+
+    const shimPath = `${shimsDir}/${toolInfo.tool}.cmd`;
+    fs.writeFileSync(shimPath, shimContent, "utf-8");
+    created++;
+  }
+
+  ui.writeInformation(`Created ${created} Windows shim(s) in ${shimsDir}`);
+}
+
+/**
+ * @param {string} shimsDir
+ *
+ * @returns {void}
+ */
+function createShims(shimsDir) {
+  if (os.platform() === "win32") {
+    createWindowsShims(shimsDir);
+  } else {
+    createUnixShims(shimsDir);
+  }
+}
+
+/**
+ * @param {string} shimsDir
+ * @param {string} binDir
+ *
+ * @returns {void}
+ */
+function modifyPathForCi(shimsDir, binDir) {
+  if (process.env.GITHUB_PATH) {
+    // In GitHub Actions, append the shims directory to GITHUB_PATH
+    fs.appendFileSync(
+      process.env.GITHUB_PATH,
+      shimsDir + os.EOL + binDir + os.EOL,
+      "utf-8"
+    );
+    ui.writeInformation(
+      `Added shims directory to GITHUB_PATH for GitHub Actions.`
+    );
+  }
+
+  if (process.env.TF_BUILD) {
+    // In Azure Pipelines, prepending the path is done via a logging command:
+    //  ##vso[task.prependpath]/path/to/add
+    // Logging this to stdout will cause the Azure Pipelines agent to pick it up
+    ui.writeInformation("##vso[task.prependpath]" + shimsDir);
+    ui.writeInformation("##vso[task.prependpath]" + binDir);
+  }
+
+  if (process.env.BASH_ENV) {
+    // In CircleCI, persisting PATH across steps is done by appending shell exports
+    // to the file referenced by BASH_ENV. CircleCI sources this file for 'run' each step.
+    const exportLine = `export PATH="${shimsDir}:${binDir}:$PATH"` + os.EOL;
+    fs.appendFileSync(process.env.BASH_ENV, exportLine, "utf-8");
+    ui.writeInformation(`Added shims directory to BASH_ENV for CircleCI.`);
+  }
+}
+
+function getToolsToSetup() {
+  return knownAikidoTools;
+}