@aikidosec/safe-chain 0.0.1-custom-install-dir

package/src/environment/userInteraction.js

@@ -0,0 +1,122 @@
+// oxlint-disable no-console
+import chalk from "chalk";
+import { isCi } from "./environment.js";
+import {
+  getLoggingLevel,
+  LOGGING_SILENT,
+  LOGGING_VERBOSE,
+} from "../config/settings.js";
+
+/**
+ * @type {{ bufferOutput: boolean, bufferedMessages:(() => void)[]}}
+ */
+const state = {
+  bufferOutput: false,
+  bufferedMessages: [],
+};
+
+function isSilentMode() {
+  return getLoggingLevel() === LOGGING_SILENT;
+}
+
+function isVerboseMode() {
+  return getLoggingLevel() === LOGGING_VERBOSE;
+}
+
+function emptyLine() {
+  if (isSilentMode()) return;
+
+  writeInformation("");
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeInformation(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
+  writeOrBuffer(() => console.log(message, ...optionalParams));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeWarning(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
+  if (!isCi()) {
+    message = chalk.yellow(message);
+  }
+  writeOrBuffer(() => console.warn(message, ...optionalParams));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeError(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  writeOrBuffer(() => console.error(message, ...optionalParams));
+}
+
+function writeExitWithoutInstallingMaliciousPackages() {
+  let message = "Safe-chain: Exiting without installing malicious packages.";
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  writeOrBuffer(() => console.error(message));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeVerbose(message, ...optionalParams) {
+  if (!isVerboseMode()) return;
+
+  writeOrBuffer(() => console.log(message, ...optionalParams));
+}
+
+/**
+ *
+ * @param {() => void} messageFunction
+ */
+function writeOrBuffer(messageFunction) {
+  if (state.bufferOutput) {
+    state.bufferedMessages.push(messageFunction);
+  } else {
+    messageFunction();
+  }
+}
+
+function startBufferingLogs() {
+  state.bufferOutput = true;
+  state.bufferedMessages = [];
+}
+
+function writeBufferedLogsAndStopBuffering() {
+  state.bufferOutput = false;
+  for (const log of state.bufferedMessages) {
+    log();
+  }
+  state.bufferedMessages = [];
+}
+
+export const ui = {
+  writeVerbose,
+  writeInformation,
+  writeWarning,
+  writeError,
+  writeExitWithoutInstallingMaliciousPackages,
+  emptyLine,
+  startBufferingLogs,
+  writeBufferedLogsAndStopBuffering,
+};

package/src/installLocation.js

@@ -0,0 +1,42 @@
+import path from "path";
+
+/** @type {NodeJS.Process & { pkg?: unknown }} */
+const processWithPkg = process;
+
+/**
+ * @param {string} executablePath
+ * @returns {string | undefined}
+ */
+export function deriveInstallDirFromExecutablePath(executablePath) {
+  if (!executablePath) {
+    return undefined;
+  }
+
+  const pathLibrary = executablePath.includes("\\") ? path.win32 : path.posix;
+  const executableDir = pathLibrary.dirname(executablePath);
+  if (pathLibrary.basename(executableDir) !== "bin") {
+    return undefined;
+  }
+
+  return pathLibrary.dirname(executableDir);
+}
+
+/**
+ * Returns the install directory for a packaged safe-chain binary.
+ * Custom installation directories only apply to packaged binary installs.
+ * For npm/global/dev-script executions this intentionally returns undefined,
+ * which causes callers to fall back to the default ~/.safe-chain layout.
+ *
+ * @param {{ isPackaged?: boolean, executablePath?: string }} [options]
+ * @returns {string | undefined}
+ */
+export function getInstalledSafeChainDir(options = {}) {
+  const isPackaged = options.isPackaged ?? Boolean(processWithPkg.pkg);
+  if (!isPackaged) {
+    return undefined;
+  }
+
+  return deriveInstallDirFromExecutablePath(
+    options.executablePath ?? process.execPath,
+  );
+}

package/src/main.js

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+
+import { scanCommand, shouldScanCommand } from "./scanning/index.js";
+import { ui } from "./environment/userInteraction.js";
+import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+import { initializeCliArguments } from "./config/cliArguments.js";
+import { createSafeChainProxy } from "./registryProxy/registryProxy.js";
+import chalk from "chalk";
+import { getAuditStats } from "./scanning/audit/index.js";
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<number>}
+ */
+export async function main(args) {
+  if (isSafeChainVerify(args)) {
+    return 0;
+  }
+
+  process.on("SIGINT", handleProcessTermination);
+  process.on("SIGTERM", handleProcessTermination);
+
+  const proxy = createSafeChainProxy();
+  await proxy.startServer();
+
+  // Global error handlers to log unhandled errors
+  process.on("uncaughtException", (error) => {
+    ui.writeError(`Safe-chain: Uncaught exception: ${error.message}`);
+    ui.writeVerbose(`Stack trace: ${error.stack}`);
+    ui.writeBufferedLogsAndStopBuffering();
+    process.exit(1);
+  });
+
+  process.on("unhandledRejection", (reason) => {
+    ui.writeError(`Safe-chain: Unhandled promise rejection: ${reason}`);
+    if (reason instanceof Error) {
+      ui.writeVerbose(`Stack trace: ${reason.stack}`);
+    }
+    ui.writeBufferedLogsAndStopBuffering();
+    process.exit(1);
+  });
+
+  try {
+    // This parses all the --safe-chain arguments and removes them from the args array
+    args = initializeCliArguments(args);
+
+    if (shouldScanCommand(args)) {
+      const commandScanResult = await scanCommand(args);
+
+      // Returning the exit code back to the caller allows the promise
+      //  to be awaited in the bin files and return the correct exit code
+      if (commandScanResult !== 0) {
+        return commandScanResult;
+      }
+    }
+
+    // Buffer logs during package manager execution, this avoids interleaving
+    //  of logs from the package manager and safe-chain
+    // Not doing this could cause bugs to disappear when cursor movement codes
+    //  are written by the package manager while safe-chain is writing logs
+    ui.startBufferingLogs();
+    const packageManagerResult = await getPackageManager().runCommand(args);
+
+    // Write all buffered logs
+    ui.writeBufferedLogsAndStopBuffering();
+
+    if (proxy.hasBlockedMaliciousPackages()) {
+      return 1;
+    }
+
+    if (proxy.hasBlockedMinimumAgeRequests()) {
+      return 1;
+    }
+
+    const auditStats = getAuditStats();
+    if (auditStats.totalPackages > 0) {
+      ui.writeVerbose(
+        `${chalk.green("✔")} Safe-chain: Scanned ${
+          auditStats.totalPackages
+        } packages, no malware found.`,
+      );
+    }
+
+    if (proxy.hasSuppressedVersions()) {
+      ui.writeInformation(
+        `${chalk.yellow(
+          "ℹ",
+        )} Safe-chain: Some package versions were suppressed during package metadata resolution due to minimum package age.`,
+      );
+      ui.writeInformation(
+        `  To disable this check, use: ${chalk.cyan(
+          "--safe-chain-skip-minimum-package-age",
+        )}`,
+      );
+    }
+
+    // Returning the exit code back to the caller allows the promise
+    //  to be awaited in the bin files and return the correct exit code
+    return packageManagerResult.status;
+  } catch (/** @type any */ error) {
+    ui.writeError("Failed to check for malicious packages:", error.message);
+    ui.writeBufferedLogsAndStopBuffering();
+
+    // Returning the exit code back to the caller allows the promise
+    //  to be awaited in the bin files and return the correct exit code
+    return 1;
+  } finally {
+    await proxy.stopServer();
+  }
+}
+
+function handleProcessTermination() {
+  ui.writeBufferedLogsAndStopBuffering();
+}
+
+/** @param {string[]} args  */
+function isSafeChainVerify(args) {
+  const safeChainCheckCommand = "safe-chain-verify";
+  if (args.length > 0 && args[0] === safeChainCheckCommand) {
+    ui.writeInformation("OK: Safe-chain works!");
+    return true;
+  }
+}

package/src/packagemanager/_shared/commandErrors.js

@@ -0,0 +1,17 @@
+import { ui } from "../../environment/userInteraction.js";
+
+/**
+ * Centralized logging for package-manager command launch failures.
+ *
+ * @param {any} error - Error thrown by safeSpawn while preparing/running the command.
+ * @param {string} command - Command name that failed to execute.
+ * @returns {{status: number}}
+ */
+export function reportCommandExecutionFailure(error, command) {
+  const message = typeof error?.message === "string" ? error.message : "Unknown error";
+  ui.writeError(`Error executing command: ${message}`);
+
+  ui.writeError(`Is '${command}' installed and available on your system?`);
+
+  return { status: typeof error?.status === "number" ? error.status : 1 };
+}

package/src/packagemanager/_shared/matchesCommand.js

@@ -0,0 +1,18 @@
+/**
+ * @param {string[]} args
+ * @param {...string} commandArgs
+ * @returns {boolean}
+ */
+export function matchesCommand(args, ...commandArgs) {
+  if (args.length < commandArgs.length) {
+    return false;
+  }
+
+  for (var i = 0; i < commandArgs.length; i++) {
+    if (args[i].toLowerCase() !== commandArgs[i].toLowerCase()) {
+      return false;
+    }
+  }
+
+  return true;
+}

package/src/packagemanager/bun/createBunPackageManager.js

@@ -0,0 +1,48 @@
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createBunPackageManager() {
+  return {
+    runCommand: (args) => runBunCommand("bun", args),
+
+    // For bun, we use the proxy-only approach to block package downloads,
+    // so we don't need to analyze commands.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createBunxPackageManager() {
+  return {
+    runCommand: (args) => runBunCommand("bunx", args),
+
+    // For bunx, we use the proxy-only approach to block package downloads,
+    // so we don't need to analyze commands.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}
+
+/**
+ * @param {string} command
+ * @param {string[]} args
+ * @returns {Promise<{status: number}>}
+ */
+async function runBunCommand(command, args) {
+  try {
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env: mergeSafeChainProxyEnvironmentVariables(process.env),
+    });
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    return reportCommandExecutionFailure(error, command);
+  }
+}

package/src/packagemanager/currentPackageManager.js

@@ -0,0 +1,82 @@
+import {
+  createBunPackageManager,
+  createBunxPackageManager,
+} from "./bun/createBunPackageManager.js";
+import { createNpmPackageManager } from "./npm/createPackageManager.js";
+import { createNpxPackageManager } from "./npx/createPackageManager.js";
+import {
+  createPnpmPackageManager,
+  createPnpxPackageManager,
+} from "./pnpm/createPackageManager.js";
+import { createYarnPackageManager } from "./yarn/createPackageManager.js";
+import { createPipPackageManager } from "./pip/createPackageManager.js";
+import { createUvPackageManager } from "./uv/createUvPackageManager.js";
+import { createPoetryPackageManager } from "./poetry/createPoetryPackageManager.js";
+import { createPipXPackageManager } from "./pipx/createPipXPackageManager.js";
+import { createUvxPackageManager } from "./uvx/createUvxPackageManager.js";
+
+/**
+ * @type {{packageManagerName: PackageManager | null}}
+ */
+const state = {
+  packageManagerName: null,
+};
+
+/**
+ * @typedef {Object} GetDependencyUpdatesResult
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+
+/**
+ * @typedef {Object} PackageManager
+ * @property {(args: string[]) => Promise<{ status: number }>} runCommand
+ * @property {(args: string[]) => boolean} isSupportedCommand
+ * @property {(args: string[]) => Promise<GetDependencyUpdatesResult[]> | GetDependencyUpdatesResult[]} getDependencyUpdatesForCommand
+ */
+
+/**
+ * @param {string} packageManagerName
+ * @param {{ tool: string, args: string[] }} [context] - Optional tool context for package managers like pip
+ *
+ * @return {PackageManager}
+ */
+export function initializePackageManager(packageManagerName, context) {
+  if (packageManagerName === "npm") {
+    state.packageManagerName = createNpmPackageManager();
+  } else if (packageManagerName === "npx") {
+    state.packageManagerName = createNpxPackageManager();
+  } else if (packageManagerName === "yarn") {
+    state.packageManagerName = createYarnPackageManager();
+  } else if (packageManagerName === "pnpm") {
+    state.packageManagerName = createPnpmPackageManager();
+  } else if (packageManagerName === "pnpx") {
+    state.packageManagerName = createPnpxPackageManager();
+  } else if (packageManagerName === "bun") {
+    state.packageManagerName = createBunPackageManager();
+  } else if (packageManagerName === "bunx") {
+    state.packageManagerName = createBunxPackageManager();
+  } else if (packageManagerName === "pip") {
+    state.packageManagerName = createPipPackageManager(context);
+  } else if (packageManagerName === "uv") {
+    state.packageManagerName = createUvPackageManager();
+  } else if (packageManagerName === "uvx") {
+    state.packageManagerName = createUvxPackageManager();
+  } else if (packageManagerName === "poetry") {
+    state.packageManagerName = createPoetryPackageManager();
+  } else if (packageManagerName === "pipx") {
+    state.packageManagerName = createPipXPackageManager();
+  } else {
+    throw new Error("Unsupported package manager: " + packageManagerName);
+  }
+
+  return state.packageManagerName;
+}
+
+export function getPackageManager() {
+  if (!state.packageManagerName) {
+    throw new Error("Package manager not initialized.");
+  }
+  return state.packageManagerName;
+}

package/src/packagemanager/npm/createPackageManager.js

@@ -0,0 +1,72 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { nullScanner } from "./dependencyScanner/nullScanner.js";
+import { runNpm } from "./runNpmCommand.js";
+import {
+  getNpmCommandForArgs,
+  npmInstallCommand,
+  npmUpdateCommand,
+  npmExecCommand,
+} from "./utils/npmCommands.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createNpmPackageManager() {
+  /**
+   * @param {string[]} args
+   *
+   * @returns {boolean}
+   */
+  function isSupportedCommand(args) {
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
+    return scanner.shouldScan(args);
+  }
+
+  /**
+   * @param {string[]} args
+   *
+   * @returns {ReturnType<import("../currentPackageManager.js").PackageManager["getDependencyUpdatesForCommand"]>}
+   */
+  function getDependencyUpdatesForCommand(args) {
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
+    return scanner.scan(args);
+  }
+
+  return {
+    runCommand: runNpm,
+    isSupportedCommand,
+    getDependencyUpdatesForCommand,
+  };
+}
+
+/**
+ * @type {Record<string, import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner>}
+ */
+const commandScannerMapping = {
+  [npmInstallCommand]: commandArgumentScanner(),
+  [npmUpdateCommand]: commandArgumentScanner(),
+  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
+};
+
+/**
+ *
+ * @param {Record<string, import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner>} scanners
+ * @param {string[]} args
+ *
+ * @returns {import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner}
+ */
+function findDependencyScannerForCommand(scanners, args) {
+  const command = getNpmCommandForArgs(args);
+  if (!command) {
+    return nullScanner();
+  }
+
+  const scanner = scanners[command];
+  return scanner ? scanner : nullScanner();
+}

package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,74 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromInstallArgs } from "../parsing/parsePackagesFromInstallArgs.js";
+import { hasDryRunArg } from "../utils/npmCommands.js";
+
+/**
+ * @typedef {Object} ScanResult
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+
+/**
+ * @typedef {Object} ScannerOptions
+ * @property {boolean} [ignoreDryRun]
+ */
+
+/**
+ * @typedef {Object} CommandArgumentScanner
+ * @property {(args: string[]) => Promise<ScanResult[]> | ScanResult[]} scan
+ * @property {(args: string[]) => boolean} shouldScan
+ */
+
+/**
+ * @param {ScannerOptions} [opts]
+ *
+ * @returns {CommandArgumentScanner}
+ */
+export function commandArgumentScanner(opts) {
+  const ignoreDryRun = opts?.ignoreDryRun ?? false;
+
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: (args) => shouldScanDependencies(args, ignoreDryRun),
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<ScanResult[]>}
+ */
+function scanDependencies(args) {
+  return checkChangesFromArgs(args);
+}
+
+/**
+ * @param {string[]} args
+ * @param {boolean} ignoreDryRun
+ * @returns {boolean}
+ */
+function shouldScanDependencies(args, ignoreDryRun) {
+  return ignoreDryRun || !hasDryRunArg(args);
+}
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<ScanResult[]>}
+ */
+export async function checkChangesFromArgs(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromInstallArgs(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+  return changes;
+}

package/src/packagemanager/npm/dependencyScanner/nullScanner.js

@@ -0,0 +1,9 @@
+/**
+ * @returns {import("./commandArgumentScanner.js").CommandArgumentScanner}
+ */
+export function nullScanner() {
+  return {
+    scan: () => [],
+    shouldScan: () => false,
+  };
+}