@aikidosec/safe-chain 0.0.1-immutable-releases-beta

package/src/registryProxy/tunnelRequestHandler.js

@@ -0,0 +1,213 @@
+import * as net from "net";
+import { ui } from "../environment/userInteraction.js";
+import { isImdsEndpoint } from "./isImdsEndpoint.js";
+import { getConnectTimeout } from "./getConnectTimeout.js";
+
+/** @type {string[]} */
+let timedoutImdsEndpoints = [];
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ *
+ * @returns {void}
+ */
+export function tunnelRequest(req, clientSocket, head) {
+  const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+
+  if (httpsProxy) {
+    // If an HTTPS proxy is set, tunnel the request via the proxy
+    // This is the system proxy, not the safe-chain proxy
+    // The package manager will run via the safe-chain proxy
+    // The safe-chain proxy will then send the request to the system proxy
+    // Typical flow: package manager -> safe-chain proxy -> system proxy -> destination
+
+    // There are 2 processes involved in this:
+    // 1. Safe-chain process: has HTTPS_PROXY set to system proxy
+    // 2. Package manager process: has HTTPS_PROXY set to safe-chain proxy
+
+    tunnelRequestViaProxy(req, clientSocket, head, httpsProxy);
+  } else {
+    tunnelRequestToDestination(req, clientSocket, head);
+  }
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ *
+ * @returns {void}
+ */
+function tunnelRequestToDestination(req, clientSocket, head) {
+  const { port, hostname } = new URL(`http://${req.url}`);
+  const isImds = isImdsEndpoint(hostname);
+  const targetPort = Number.parseInt(port) || 443;
+
+  if (timedoutImdsEndpoints.includes(hostname)) {
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    if (isImds) {
+      ui.writeVerbose(
+        `Safe-chain: Closing connection because previously timedout connect to ${hostname}`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: Closing connection because previously timedout connect to ${hostname}`
+      );
+    }
+    return;
+  }
+
+  const connectTimeout = getConnectTimeout(hostname);
+
+  // Use JS setTimeout for true connection timeout (not idle timeout).
+  // socket.setTimeout() measures inactivity, not time since connection attempt.
+  const connectTimer = setTimeout(() => {
+    if (isImds) {
+      timedoutImdsEndpoints.push(hostname);
+      ui.writeVerbose(
+        `Safe-chain: connect to ${hostname}:${targetPort} timed out after ${connectTimeout}ms`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: connect to ${hostname}:${targetPort} timed out after ${connectTimeout}ms`
+      );
+    }
+    serverSocket.destroy();
+    if (clientSocket.writable) {
+      clientSocket.end("HTTP/1.1 504 Gateway Timeout\r\n\r\n");
+    }
+  }, connectTimeout);
+
+  const serverSocket = net.connect(targetPort, hostname, () => {
+    // Clear timer to prevent false timeout errors after successful connection
+    clearTimeout(connectTimer);
+
+    clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+    serverSocket.write(head);
+    serverSocket.pipe(clientSocket);
+    clientSocket.pipe(serverSocket);
+  });
+
+  clientSocket.on("error", () => {
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'error' event will cause node to throw and crash.
+    clearTimeout(connectTimer);
+    if (serverSocket.writable) {
+      serverSocket.end();
+    }
+  });
+
+  clientSocket.on("close", () => {
+    // Client closed connection - clean up server socket
+    clearTimeout(connectTimer);
+    if (serverSocket.writable) {
+      serverSocket.end();
+    }
+  });
+
+  serverSocket.on("error", (err) => {
+    clearTimeout(connectTimer);
+    if (isImds) {
+      ui.writeVerbose(
+        `Safe-chain: error connecting to ${hostname}:${targetPort} - ${err.message}`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: error connecting to ${hostname}:${targetPort} - ${err.message}`
+      );
+    }
+    if (clientSocket.writable) {
+      clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    }
+  });
+
+  serverSocket.on("close", () => {
+    // Server closed connection - clean up client socket
+    clearTimeout(connectTimer);
+    if (clientSocket.writable) {
+      clientSocket.end();
+    }
+  });
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ * @param {string} proxyUrl
+ */
+function tunnelRequestViaProxy(req, clientSocket, head, proxyUrl) {
+  const { port, hostname } = new URL(`http://${req.url}`);
+  const proxy = new URL(proxyUrl);
+
+  // Connect to proxy server
+  const proxySocket = net.connect({
+    host: proxy.hostname,
+    port: Number.parseInt(proxy.port) || 80,
+  });
+
+  proxySocket.on("connect", () => {
+    // Send CONNECT request to proxy
+    const connectRequest = [
+      `CONNECT ${hostname}:${port || 443} HTTP/1.1`,
+      `Host: ${hostname}:${port || 443}`,
+      "",
+      "",
+    ].join("\r\n");
+
+    proxySocket.write(connectRequest);
+  });
+
+  let isConnected = false;
+  proxySocket.once("data", (data) => {
+    const response = data.toString();
+
+    // Check if CONNECT succeeded (HTTP/1.1 200)
+    if (response.startsWith("HTTP/1.1 200")) {
+      isConnected = true;
+      clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+      proxySocket.write(head);
+      proxySocket.pipe(clientSocket);
+      clientSocket.pipe(proxySocket);
+    } else {
+      ui.writeError(
+        `Safe-chain: proxy CONNECT failed: ${response.split("\r\n")[0]}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+      }
+      if (proxySocket.writable) {
+        proxySocket.end();
+      }
+    }
+  });
+
+  proxySocket.on("error", (err) => {
+    if (!isConnected) {
+      ui.writeError(
+        `Safe-chain: error connecting to proxy ${proxy.hostname}:${
+          proxy.port || 8080
+        } - ${err.message}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+      }
+    } else {
+      ui.writeError(
+        `Safe-chain: proxy socket error after connection - ${err.message}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end();
+      }
+    }
+  });
+
+  clientSocket.on("error", () => {
+    if (proxySocket.writable) {
+      proxySocket.end();
+    }
+  });
+}
+

package/src/scanning/audit/index.js

@@ -0,0 +1,129 @@
+import { ui } from "../../environment/userInteraction.js";
+import {
+  MALWARE_STATUS_MALWARE,
+  openMalwareDatabase,
+} from "../malwareDatabase.js";
+
+/**
+ * @typedef {Object} PackageChange
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+
+/**
+ * @typedef {Object} AuditResult
+ * @property {PackageChange[]} allowedChanges
+ * @property {(PackageChange & {reason: string})[]} disallowedChanges
+ * @property {boolean} isAllowed
+ */
+
+/**
+ * @typedef {Object} AuditStats
+ * @property {number} totalPackages
+ * @property {number} safePackages
+ * @property {number} malwarePackages
+ */
+
+/**
+ * @type AuditStats
+ */
+const auditStats = {
+  totalPackages: 0,
+  safePackages: 0,
+  malwarePackages: 0,
+};
+
+/**
+ * @returns {AuditStats}
+ */
+export function getAuditStats() {
+  return auditStats;
+}
+
+/**
+ *
+ * @param {string | undefined} name
+ * @param {string | undefined} version
+ * @returns {Promise<boolean>}
+ */
+export async function isMalwarePackage(name, version) {
+  if (!name || !version) {
+    return false;
+  }
+
+  const auditResult = await auditChanges([{ name, version, type: "add" }]);
+
+  return !auditResult.isAllowed;
+}
+
+/**
+ * @param {PackageChange[]} changes
+ *
+ * @returns {Promise<AuditResult>}
+ */
+export async function auditChanges(changes) {
+  const allowedChanges = [];
+  const disallowedChanges = [];
+
+  var malwarePackages = await getPackagesWithMalware(
+    changes.filter(
+      (change) => change.type === "add" || change.type === "change"
+    )
+  );
+
+  for (const change of changes) {
+    const malwarePackage = malwarePackages.find(
+      (pkg) => pkg.name === change.name && pkg.version === change.version
+    );
+
+    if (malwarePackage) {
+      auditStats.malwarePackages += 1;
+      ui.writeVerbose(
+        `Safe-chain: Package ${change.name}@${change.version} is marked as malware: ${malwarePackage.status}`
+      );
+      disallowedChanges.push({ ...change, reason: malwarePackage.status });
+    } else {
+      auditStats.safePackages += 1;
+      ui.writeVerbose(
+        `Safe-chain: Package ${change.name}@${change.version} is clean`
+      );
+      allowedChanges.push(change);
+    }
+
+    auditStats.totalPackages += 1;
+  }
+
+  const auditResults = {
+    allowedChanges,
+    disallowedChanges,
+    isAllowed: disallowedChanges.length === 0,
+  };
+
+  return auditResults;
+}
+
+/**
+ * @param {{name: string, version: string, type: string}[]} changes
+ * @returns {Promise<{name: string, version: string, status: string}[]>}
+ */
+async function getPackagesWithMalware(changes) {
+  if (changes.length === 0) {
+    return [];
+  }
+
+  const malwareDb = await openMalwareDatabase();
+  let allVulnerablePackages = [];
+
+  for (const change of changes) {
+    if (malwareDb.isMalware(change.name, change.version)) {
+      allVulnerablePackages.push({
+        name: change.name,
+        version: change.version,
+        status: MALWARE_STATUS_MALWARE,
+      });
+    }
+  }
+
+  return allVulnerablePackages;
+}

package/src/scanning/index.js

@@ -0,0 +1,82 @@
+import { auditChanges } from "./audit/index.js";
+import { getScanTimeout } from "../config/configFile.js";
+import { setTimeout } from "timers/promises";
+import chalk from "chalk";
+import { getPackageManager } from "../packagemanager/currentPackageManager.js";
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {boolean}
+ */
+export function shouldScanCommand(args) {
+  if (!args || args.length === 0) {
+    return false;
+  }
+
+  return getPackageManager().isSupportedCommand(args);
+}
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {Promise<number>}
+ */
+export async function scanCommand(args) {
+  if (!shouldScanCommand(args)) {
+    return 0;
+  }
+
+  let timedOut = false;
+  /** @type {import("./audit/index.js").AuditResult | undefined} */
+  let audit;
+
+  await Promise.race([
+    (async () => {
+      const packageManager = getPackageManager();
+      const changes = await packageManager.getDependencyUpdatesForCommand(args);
+
+      if (timedOut) {
+        return;
+      }
+
+      audit = await auditChanges(changes);
+    })(),
+    setTimeout(getScanTimeout()).then(() => {
+      timedOut = true;
+    }),
+  ]);
+
+  if (timedOut) {
+    throw new Error("Timeout exceeded while scanning npm install command.");
+  }
+
+  if (!audit || audit.isAllowed) {
+    return 0;
+  } else {
+    printMaliciousChanges(audit.disallowedChanges);
+    onMalwareFound();
+    return 1;
+  }
+}
+
+/**
+ * @param {import("./audit/index.js").PackageChange[]} changes
+ * @return {void}
+ */
+function printMaliciousChanges(changes) {
+  ui.writeInformation(
+    chalk.red("✖") + " Safe-chain: " + chalk.bold("Malicious changes detected:")
+  );
+
+  for (const change of changes) {
+    ui.writeInformation(` - ${change.name}@${change.version}`);
+  }
+}
+
+function onMalwareFound() {
+  ui.emptyLine();
+  ui.writeExitWithoutInstallingMaliciousPackages();
+  ui.emptyLine();
+}

package/src/scanning/malwareDatabase.js

@@ -0,0 +1,131 @@
+import {
+  fetchMalwareDatabase,
+  fetchMalwareDatabaseVersion,
+} from "../api/aikido.js";
+import {
+  readDatabaseFromLocalCache,
+  writeDatabaseToLocalCache,
+} from "../config/configFile.js";
+import { ui } from "../environment/userInteraction.js";
+import { getEcoSystem, ECOSYSTEM_PY } from "../config/settings.js";
+
+/**
+ * @typedef {Object} MalwareDatabase
+ * @property {function(string, string): string} getPackageStatus
+ * @property {function(string, string): boolean} isMalware
+ */
+
+/** @type {MalwareDatabase | null} */
+let cachedMalwareDatabase = null;
+
+/**
+ * Normalize package name for comparison.
+ * For Python packages (PEP-503): lowercase and replace _, -, . with -
+ * For js packages: keep as-is (case-sensitive)
+ * @param {string} name
+ * @returns {string}
+ */
+function normalizePackageName(name) {
+  const ecosystem = getEcoSystem();
+  if (ecosystem === ECOSYSTEM_PY) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+
+  return name;
+}
+
+export async function openMalwareDatabase() {
+  if (cachedMalwareDatabase) {
+    return cachedMalwareDatabase;
+  }
+
+  const malwareDatabase = await getMalwareDatabase();
+
+  /**
+   * @param {string} name
+   * @param {string} version
+   * @returns {string}
+   */
+  function getPackageStatus(name, version) {
+    const normalizedName = normalizePackageName(name);
+    const packageData = malwareDatabase.find(
+      (pkg) => {
+        const normalizedPkgName = normalizePackageName(pkg.package_name);
+        return normalizedPkgName === normalizedName &&
+          (pkg.version === version || pkg.version === "*");
+      }
+    );
+
+    if (!packageData) {
+      return MALWARE_STATUS_OK;
+    }
+
+    return packageData.reason;
+  }
+
+  // This implicitly caches the malware database
+  //  that's closed over by the getPackageStatus function
+  cachedMalwareDatabase = {
+    getPackageStatus,
+    isMalware: (name, version) => {
+      const status = getPackageStatus(name, version);
+      return isMalwareStatus(status);
+    },
+  };
+  return cachedMalwareDatabase;
+}
+
+/**
+ * @returns {Promise<import("../api/aikido.js").MalwarePackage[]>}
+ */
+async function getMalwareDatabase() {
+  const { malwareDatabase: cachedDatabase, version: cachedVersion } =
+    readDatabaseFromLocalCache();
+
+  try {
+    if (cachedDatabase) {
+      const currentVersion = await fetchMalwareDatabaseVersion();
+      if (cachedVersion === currentVersion) {
+        return cachedDatabase;
+      }
+    }
+
+    const { malwareDatabase, version } = await fetchMalwareDatabase();
+
+    if (version) {
+      // Only cache the malware database when we have a version.
+      writeDatabaseToLocalCache(malwareDatabase, version);
+      return malwareDatabase;
+    } else {
+      // We received a valid malware database, but the response
+      // did not contain an etag header with the version
+      ui.writeWarning(
+        "The malware database was downloaded, but could not be cached due to a missing version."
+      );
+      return malwareDatabase;
+    }
+  } catch (/** @type any */ error) {
+    if (cachedDatabase) {
+      ui.writeWarning(
+        "Failed to fetch the latest malware database. Using cached version."
+      );
+      return cachedDatabase;
+    }
+    throw error;
+  }
+}
+
+/**
+ * @param {string} status
+ *
+ * @returns {boolean}
+ */
+function isMalwareStatus(status) {
+  let malwareStatus = status.toUpperCase();
+  return malwareStatus === MALWARE_STATUS_MALWARE;
+}
+
+export const MALWARE_STATUS_OK = "OK";
+export const MALWARE_STATUS_MALWARE = "MALWARE";
+export const MALWARE_STATUS_TELEMETRY = "TELEMETRY";
+export const MALWARE_STATUS_PROTESTWARE = "PROTESTWARE";

package/src/scanning/newPackagesDatabaseBuilder.js

@@ -0,0 +1,71 @@
+import {
+  getMinimumPackageAgeHours,
+  getEcoSystem,
+  ECOSYSTEM_JS,
+  ECOSYSTEM_PY,
+} from "../config/settings.js";
+import { getEquivalentPackageNames } from "./packageNameVariants.js";
+
+/**
+ * @typedef {Object} NewPackagesDatabase
+ * @property {function(string | undefined, string | undefined): boolean} isNewlyReleasedPackage
+ */
+
+/**
+ * Returns the ecosystem identifier expected in upstream/core release feeds.
+ * @returns {string}
+ */
+function getCurrentFeedSource() {
+  const ecosystem = getEcoSystem();
+
+  if (ecosystem === ECOSYSTEM_JS) {
+    return "npm";
+  }
+
+  if (ecosystem === ECOSYSTEM_PY) {
+    return "pypi";
+  }
+
+  return ecosystem;
+}
+
+/**
+ * @param {import("../api/aikido.js").NewPackageEntry[]} newPackagesList
+ * @returns {NewPackagesDatabase}
+ */
+export function buildNewPackagesDatabase(newPackagesList) {
+  const ecosystem = getEcoSystem();
+
+  /**
+   * @param {string | undefined} name
+   * @param {string | undefined} version
+   * @returns {boolean}
+   */
+  function isNewlyReleasedPackage(name, version) {
+    if (!name || !version) {
+      return false;
+    }
+
+    const cutOff = new Date(
+      new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
+    );
+    const expectedSource = getCurrentFeedSource();
+    const candidateNames = getEquivalentPackageNames(name, ecosystem);
+
+    const entry = newPackagesList.find(
+      (pkg) =>
+        (!pkg.source || pkg.source.toLowerCase() === expectedSource) &&
+        candidateNames.includes(pkg.package_name) &&
+        pkg.version === version
+    );
+
+    if (!entry) {
+      return false;
+    }
+
+    const releasedOn = new Date(entry.released_on * 1000);
+    return releasedOn > cutOff;
+  }
+
+  return { isNewlyReleasedPackage };
+}

package/src/scanning/newPackagesDatabaseWarnings.js

@@ -0,0 +1,17 @@
+import { ui } from "../environment/userInteraction.js";
+
+let hasWarnedAboutUnavailableNewPackagesDatabase = false;
+
+/** @param {Error} error */
+export function warnOnceAboutUnavailableDatabase(error) {
+  if (!hasWarnedAboutUnavailableNewPackagesDatabase) {
+    ui.writeWarning(
+      `Failed to load the new packages list used for direct package download request blocking. Continuing with metadata-based minimum age checks only. ${error.message}`
+    );
+    hasWarnedAboutUnavailableNewPackagesDatabase = true;
+  }
+}
+
+export function resetWarningState() {
+  hasWarnedAboutUnavailableNewPackagesDatabase = false;
+}