@aikidosec/safe-chain 0.0.1-immutable-releases-beta

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@aikidosec/safe-chain",
+  "version": "0.0.1-immutable-releases-beta",
+  "scripts": {
+    "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
+    "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
+    "lint": "oxlint --deny-warnings",
+    "typecheck": "tsc --noEmit"
+  },
+  "bin": {
+    "aikido-npm": "bin/aikido-npm.js",
+    "aikido-npx": "bin/aikido-npx.js",
+    "aikido-yarn": "bin/aikido-yarn.js",
+    "aikido-pnpm": "bin/aikido-pnpm.js",
+    "aikido-pnpx": "bin/aikido-pnpx.js",
+    "aikido-bun": "bin/aikido-bun.js",
+    "aikido-bunx": "bin/aikido-bunx.js",
+    "aikido-uv": "bin/aikido-uv.js",
+    "aikido-pip": "bin/aikido-pip.js",
+    "aikido-pip3": "bin/aikido-pip3.js",
+    "aikido-python": "bin/aikido-python.js",
+    "aikido-python3": "bin/aikido-python3.js",
+    "aikido-poetry": "bin/aikido-poetry.js",
+    "aikido-pipx": "bin/aikido-pipx.js",
+    "safe-chain": "bin/safe-chain.js"
+  },
+  "type": "module",
+  "exports": {
+    ".": {
+      "default": "./src/main.js"
+    },
+    "./scanning": {
+      "default": "./src/scanning/audit/index.js"
+    }
+  },
+  "keywords": [],
+  "author": "Aikido Security",
+  "license": "AGPL-3.0-or-later",
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, or pip/pip3 from downloading or running the malware.",
+  "dependencies": {
+    "archiver": "^7.0.1",
+    "certifi": "14.5.15",
+    "chalk": "5.4.1",
+    "https-proxy-agent": "7.0.6",
+    "ini": "6.0.0",
+    "make-fetch-happen": "15.0.3",
+    "node-forge": "1.3.2",
+    "npm-registry-fetch": "19.1.1",
+    "semver": "7.7.2"
+  },
+  "devDependencies": {
+    "@types/archiver": "^7.0.0",
+    "@types/ini": "^4.1.1",
+    "@types/make-fetch-happen": "^10.0.4",
+    "@types/node": "^18.19.130",
+    "@types/node-forge": "^1.3.14",
+    "@types/npm-registry-fetch": "^8.0.9",
+    "@types/semver": "^7.7.1",
+    "esbuild": "^0.27.0",
+    "typescript": "^5.9.3"
+  },
+  "main": "src/main.js",
+  "bugs": {
+    "url": "https://github.com/AikidoSec/safe-chain/issues"
+  },
+  "homepage": "https://github.com/AikidoSec/safe-chain#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/AikidoSec/safe-chain.git",
+    "directory": "packages/safe-chain"
+  }
+}

package/src/api/aikido.js

@@ -0,0 +1,187 @@
+import fetch from "make-fetch-happen";
+import {
+  getEcoSystem,
+  ECOSYSTEM_JS,
+  ECOSYSTEM_PY,
+  getMalwareListBaseUrl,
+} from "../config/settings.js";
+import { ui } from "../environment/userInteraction.js";
+
+const malwareDatabasePaths = {
+  [ECOSYSTEM_JS]: "malware_predictions.json",
+  [ECOSYSTEM_PY]: "malware_pypi.json",
+};
+
+const newPackagesListPaths = {
+  [ECOSYSTEM_JS]: "releases/npm.json",
+  [ECOSYSTEM_PY]: "releases/pypi.json",
+};
+
+const DEFAULT_FETCH_RETRY_ATTEMPTS = 4;
+
+/**
+ * @typedef {Object} MalwarePackage
+ * @property {string} package_name
+ * @property {string} version
+ * @property {string} reason
+ */
+
+/**
+ * @typedef {Object} NewPackageEntry
+ * @property {string} [source]
+ * @property {string} package_name
+ * @property {string} version
+ * @property {number} released_on  - Unix timestamp (seconds)
+ * @property {number} scraped_on   - Unix timestamp (seconds)
+ */
+
+/**
+ * @returns {Promise<{malwareDatabase: MalwarePackage[], version: string | undefined}>}
+ */
+export async function fetchMalwareDatabase() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = malwareDatabasePaths[
+      /** @type {keyof typeof malwareDatabasePaths} */ (ecosystem)
+    ];
+    const malwareDatabaseUrl = `${baseUrl}/${path}`;
+    const response = await fetch(malwareDatabaseUrl);
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} malware database: ${response.statusText}`
+      );
+    }
+
+    try {
+      let malwareDatabase = await response.json();
+      return {
+        malwareDatabase: malwareDatabase,
+        version: response.headers.get("etag") || undefined,
+      };
+    } catch (/** @type {any} */ error) {
+      throw new Error(`Error parsing malware database: ${error.message}`);
+    }
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * @returns {Promise<string | undefined>}
+ */
+export async function fetchMalwareDatabaseVersion() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = malwareDatabasePaths[
+      /** @type {keyof typeof malwareDatabasePaths} */ (ecosystem)
+    ];
+    const malwareDatabaseUrl = `${baseUrl}/${path}`;
+    const response = await fetch(malwareDatabaseUrl, {
+      method: "HEAD",
+    });
+
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} malware database version: ${response.statusText}`
+      );
+    }
+    return response.headers.get("etag") || undefined;
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * @returns {Promise<{newPackagesList: NewPackageEntry[], version: string | undefined}>}
+ */
+export async function fetchNewPackagesList() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = newPackagesListPaths[/** @type {keyof typeof newPackagesListPaths} */ (ecosystem)];
+
+    if (!path) {
+      return { newPackagesList: [], version: undefined };
+    }
+
+    const url = `${baseUrl}/${path}`;
+
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} new packages list: ${response.statusText}`
+      );
+    }
+
+    try {
+      const newPackagesList = await response.json();
+      return {
+        newPackagesList,
+        version: response.headers.get("etag") || undefined,
+      };
+    } catch (/** @type {any} */ error) {
+      throw new Error(`Error parsing new packages list: ${error.message}`);
+    }
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * @returns {Promise<string | undefined>}
+ */
+export async function fetchNewPackagesListVersion() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = newPackagesListPaths[/** @type {keyof typeof newPackagesListPaths} */ (ecosystem)];
+
+    if (!path) {
+      return undefined;
+    }
+
+    const url = `${baseUrl}/${path}`;
+
+    const response = await fetch(url, { method: "HEAD" });
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} new packages list version: ${response.statusText}`
+      );
+    }
+
+    return response.headers.get("etag") || undefined;
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * Retries an asynchronous function multiple times until it succeeds or exhausts all attempts.
+ *
+ * @template T
+ * @param {() => Promise<T>} func - The asynchronous function to retry
+ * @param {number} attempts - The number of attempts
+ * @returns {Promise<T>} The return value of the function if successful
+ * @throws {Error} The last error encountered if all retry attempts fail
+ */
+async function retry(func, attempts) {
+  let lastError;
+
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await func();
+    } catch (error) {
+      ui.writeVerbose(
+        "An error occurred while trying to download Aikido data",
+        error
+      );
+      lastError = error;
+    }
+
+    if (i < attempts - 1) {
+      // When this is not the last try, back-off exponentially:
+      //  1st attempt - 500ms delay
+      //  2nd attempt - 1000ms delay
+      //  3rd attempt - 2000ms delay
+      //  4th attempt - 4000ms delay
+      //  ...
+      await new Promise((resolve) => setTimeout(resolve, Math.pow(2, i) * 500));
+    }
+  }
+
+  throw lastError;
+}

package/src/api/npmApi.js

@@ -0,0 +1,71 @@
+import * as semver from "semver";
+import * as npmFetch from "npm-registry-fetch";
+
+/**
+ * @param {string} packageName
+ * @param {string | null} [versionRange]
+ * @returns {Promise<string | null>}
+ */
+export async function resolvePackageVersion(packageName, versionRange) {
+  if (!versionRange) {
+    versionRange = "latest";
+  }
+
+  if (semver.valid(versionRange)) {
+    // The version is a fixed version, no need to resolve
+    return versionRange;
+  }
+
+  const packageInfo = (
+    /** @type {{"dist-tags"?: Record<string, string>, versions?: Record<string, unknown>} | null} */
+    await getPackageInfo(packageName)
+  );
+  if (!packageInfo) {
+    // It is possible that no version is found (could be a private package, or a package that doesn't exist)
+    // In this case, we return null to indicate that we couldn't resolve the version
+    return null;
+  }
+
+  const distTags = packageInfo["dist-tags"];
+  if (distTags && isDistTags(distTags) && distTags[versionRange]) {
+    // If the version range is a dist-tag, return the version associated with that tag
+    // e.g., "latest", "next", etc.
+    return distTags[versionRange];
+  }
+
+  if (!packageInfo.versions) {
+    return null;
+  }
+
+  // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
+  // This is useful for ranges like "^1.0.0" or "~2.3.4".
+  const availableVersions = Object.keys(packageInfo.versions);
+  const resolvedVersion = semver.maxSatisfying(availableVersions, versionRange);
+  if (resolvedVersion) {
+    return resolvedVersion;
+  }
+
+  // Nothing matched the range, return null
+  return null;
+}
+
+/**
+ *
+ * @param {unknown} distTags
+ * @returns {distTags is Record<string, string>}
+ */
+function isDistTags(distTags) {
+  return typeof distTags === "object";
+}
+
+/**
+ * @param {string} packageName
+ * @returns {Promise<Record<string, unknown> | null>}
+ */
+async function getPackageInfo(packageName) {
+  try {
+    return await npmFetch.json(packageName);
+  } catch {
+    return null;
+  }
+}

package/src/config/cliArguments.js

@@ -0,0 +1,161 @@
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, malwareListBaseUrl: string | undefined}}
+ */
+const state = {
+  loggingLevel: undefined,
+  skipMinimumPackageAge: undefined,
+  minimumPackageAgeHours: undefined,
+  malwareListBaseUrl: undefined,
+};
+
+const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
+
+/**
+ * @param {string[]} args
+ * @returns {string[]}
+ */
+export function initializeCliArguments(args) {
+  // Reset state on each call
+  state.loggingLevel = undefined;
+  state.skipMinimumPackageAge = undefined;
+  state.minimumPackageAgeHours = undefined;
+  state.malwareListBaseUrl = undefined;
+
+  const safeChainArgs = [];
+  const remainingArgs = [];
+
+  for (const arg of args) {
+    if (arg.toLowerCase().startsWith(SAFE_CHAIN_ARG_PREFIX)) {
+      safeChainArgs.push(arg);
+    } else {
+      remainingArgs.push(arg);
+    }
+  }
+
+  setLoggingLevel(safeChainArgs);
+  setSkipMinimumPackageAge(safeChainArgs);
+  setMinimumPackageAgeHours(safeChainArgs);
+  setMalwareListBaseUrl(safeChainArgs);
+  checkDeprecatedPythonFlag(args);
+  return remainingArgs;
+}
+
+/**
+ * @param {string[]} args
+ * @param {string} prefix
+ * @returns {string | undefined}
+ */
+function getLastArgEqualsValue(args, prefix) {
+  for (var i = args.length - 1; i >= 0; i--) {
+    const arg = args[i];
+    if (arg.toLowerCase().startsWith(prefix)) {
+      return arg.substring(prefix.length);
+    }
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setLoggingLevel(args) {
+  const safeChainLoggingArg = SAFE_CHAIN_ARG_PREFIX + "logging=";
+
+  const level = getLastArgEqualsValue(args, safeChainLoggingArg);
+  if (!level) {
+    return;
+  }
+  state.loggingLevel = level.toLowerCase();
+}
+
+export function getLoggingLevel() {
+  return state.loggingLevel;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setSkipMinimumPackageAge(args) {
+  const flagName = SAFE_CHAIN_ARG_PREFIX + "skip-minimum-package-age";
+
+  if (hasFlagArg(args, flagName)) {
+    state.skipMinimumPackageAge = true;
+  }
+}
+
+export function getSkipMinimumPackageAge() {
+  return state.skipMinimumPackageAge;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setMinimumPackageAgeHours(args) {
+  const argName = SAFE_CHAIN_ARG_PREFIX + "minimum-package-age-hours=";
+
+  const value = getLastArgEqualsValue(args, argName);
+  if (value) {
+    state.minimumPackageAgeHours = value;
+  }
+}
+
+/**
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return state.minimumPackageAgeHours;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setMalwareListBaseUrl(args) {
+  const argName = SAFE_CHAIN_ARG_PREFIX + "malware-list-base-url=";
+
+  const value = getLastArgEqualsValue(args, argName);
+  if (value) {
+    state.malwareListBaseUrl = value;
+  }
+}
+
+/**
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  return state.malwareListBaseUrl;
+}
+
+/**
+ * @param {string[]} args
+ * @param {string} flagName
+ * @returns {boolean}
+ */
+function hasFlagArg(args, flagName) {
+  for (const arg of args) {
+    if (arg.toLowerCase() === flagName.toLowerCase()) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Emits a deprecation warning for legacy --include-python flag
+ *
+ * @param {string[]} args
+ * @returns {void}
+ */
+export function checkDeprecatedPythonFlag(args) {
+  if (hasFlagArg(args, "--include-python")) {
+    ui.writeWarning(
+      "--include-python is deprecated and ignored. Python tooling is included by default."
+    );
+  }
+}