@aikidosec/safe-chain 0.0.4-connect-timeout-beta

package/src/registryProxy/mitmRequestHandler.js

@@ -0,0 +1,231 @@
+import https from "https";
+import { generateCertForHost } from "./certUtils.js";
+import { HttpsProxyAgent } from "https-proxy-agent";
+import { ui } from "../environment/userInteraction.js";
+import { gunzipSync, gzipSync } from "zlib";
+
+/**
+ * @typedef {import("./interceptors/interceptorBuilder.js").Interceptor} Interceptor
+ */
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Interceptor} interceptor
+ */
+export function mitmConnect(req, clientSocket, interceptor) {
+  ui.writeVerbose(`Safe-chain: Set up MITM tunnel for ${req.url}`);
+  const { hostname } = new URL(`http://${req.url}`);
+
+  clientSocket.on("error", (err) => {
+    ui.writeVerbose(
+      `Safe-chain: Client socket error for ${req.url}: ${err.message}`
+    );
+    // NO-OP
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'close' event will cause node to throw and crash.
+  });
+
+  const server = createHttpsServer(hostname, interceptor);
+
+  server.on("error", (err) => {
+    ui.writeError(`Safe-chain: HTTPS server error: ${err.message}`);
+    if (!clientSocket.headersSent) {
+      clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    } else if (clientSocket.writable) {
+      clientSocket.end();
+    }
+  });
+
+  // Establish the connection
+  clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+
+  // Hand off the socket to the HTTPS server
+  server.emit("connection", clientSocket);
+}
+
+/**
+ * @param {string} hostname
+ * @param {Interceptor} interceptor
+ * @returns {import("https").Server}
+ */
+function createHttpsServer(hostname, interceptor) {
+  const cert = generateCertForHost(hostname);
+
+  /**
+   * @param {import("http").IncomingMessage} req
+   * @param {import("http").ServerResponse} res
+   *
+   * @returns {Promise<void>}
+   */
+  async function handleRequest(req, res) {
+    if (!req.url) {
+      ui.writeError("Safe-chain: Request missing URL");
+      res.writeHead(400, "Bad Request");
+      res.end("Bad Request: Missing URL");
+      return;
+    }
+
+    const pathAndQuery = getRequestPathAndQuery(req.url);
+    const targetUrl = `https://${hostname}${pathAndQuery}`;
+
+    const requestInterceptor = await interceptor.handleRequest(targetUrl);
+    const blockResponse = requestInterceptor.blockResponse;
+
+    if (blockResponse) {
+      ui.writeVerbose(`Safe-chain: Blocking request to ${targetUrl}`);
+      res.writeHead(blockResponse.statusCode, blockResponse.message);
+      res.end(blockResponse.message);
+      return;
+    }
+
+    // Collect request body
+    forwardRequest(req, hostname, res, requestInterceptor);
+  }
+
+  const server = https.createServer(
+    {
+      key: cert.privateKey,
+      cert: cert.certificate,
+    },
+    handleRequest
+  );
+
+  return server;
+}
+
+/**
+ * @param {string} url
+ * @returns {string}
+ */
+function getRequestPathAndQuery(url) {
+  if (url.startsWith("http://") || url.startsWith("https://")) {
+    const parsedUrl = new URL(url);
+    return parsedUrl.pathname + parsedUrl.search + parsedUrl.hash;
+  }
+  return url;
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {string} hostname
+ * @param {import("http").ServerResponse} res
+ * @param {import("./interceptors/interceptorBuilder.js").RequestInterceptionHandler} requestHandler
+ */
+function forwardRequest(req, hostname, res, requestHandler) {
+  const proxyReq = createProxyRequest(hostname, req, res, requestHandler);
+
+  proxyReq.on("error", (err) => {
+    ui.writeVerbose(
+      `Safe-chain: Error occurred while proxying request to ${req.url} for ${hostname}: ${err.message}`
+    );
+    res.writeHead(502);
+    res.end("Bad Gateway");
+  });
+
+  req.on("error", (err) => {
+    ui.writeError(
+      `Safe-chain: Error reading client request to ${req.url} for ${hostname}: ${err.message}`
+    );
+    proxyReq.destroy();
+  });
+
+  req.on("data", (chunk) => {
+    proxyReq.write(chunk);
+  });
+
+  req.on("end", () => {
+    ui.writeVerbose(
+      `Safe-chain: Finished proxying request to ${req.url} for ${hostname}`
+    );
+    proxyReq.end();
+  });
+}
+
+/**
+ * @param {string} hostname
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} res
+ * @param {import("./interceptors/interceptorBuilder.js").RequestInterceptionHandler} requestHandler
+ *
+ * @returns {import("http").ClientRequest}
+ */
+function createProxyRequest(hostname, req, res, requestHandler) {
+  /** @type {NodeJS.Dict<string | string[]> | undefined} */
+  let headers = { ...req.headers };
+  // Remove the host header from the incoming request before forwarding.
+  // Node's http module sets the correct host header for the target hostname automatically.
+  if (headers.host) {
+    delete headers.host;
+  }
+  headers = requestHandler.modifyRequestHeaders(headers);
+
+  /** @type {import("http").RequestOptions} */
+  const options = {
+    hostname: hostname,
+    port: 443,
+    path: req.url,
+    method: req.method,
+    headers: { ...headers },
+  };
+
+  const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+  if (httpsProxy) {
+    options.agent = new HttpsProxyAgent(httpsProxy);
+  }
+
+  const proxyReq = https.request(options, (proxyRes) => {
+    proxyRes.on("error", (err) => {
+      ui.writeError(
+        `Safe-chain: Error reading upstream response to ${req.url} for ${hostname}: ${err.message}`
+      );
+      if (!res.headersSent) {
+        res.writeHead(502);
+        res.end("Bad Gateway");
+      }
+    });
+
+    if (!proxyRes.statusCode) {
+      ui.writeError(
+        `Safe-chain: Proxy response missing status code to ${req.url} for ${hostname}`
+      );
+      res.writeHead(500);
+      res.end("Internal Server Error");
+      return;
+    }
+
+    const { statusCode, headers } = proxyRes;
+
+    if (requestHandler.modifiesResponse()) {
+      /** @type {Array<any>} */
+      let chunks = [];
+
+      proxyRes.on("data", (chunk) => chunks.push(chunk));
+
+      proxyRes.on("end", () => {
+        /** @type {Buffer} */
+        let buffer = Buffer.concat(chunks);
+
+        if (proxyRes.headers["content-encoding"] === "gzip") {
+          buffer = gunzipSync(buffer);
+        }
+
+        buffer = requestHandler.modifyBody(buffer, headers);
+
+        if (proxyRes.headers["content-encoding"] === "gzip") {
+          buffer = gzipSync(buffer);
+        }
+
+        res.writeHead(statusCode, headers);
+        res.end(buffer);
+      });
+    } else {
+      // If the response is not being modified, we can
+      // just pipe without the need for buffering the output
+      res.writeHead(statusCode, headers);
+      proxyRes.pipe(res);
+    }
+  });
+
+  return proxyReq;
+}

package/src/registryProxy/plainHttpProxy.js

@@ -0,0 +1,95 @@
+import * as http from "http";
+import * as https from "https";
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} res
+ *
+ * @returns {void}
+ */
+export function handleHttpProxyRequest(req, res) {
+  if (!req.url) {
+    ui.writeError("Safe-chain: Request missing URL");
+    res.writeHead(400, "Bad Request");
+    res.end("Bad Request: Missing URL");
+    return;
+  }
+
+  const url = new URL(req.url);
+
+  // The protocol for the plainHttpProxy should usually only be http:
+  // but when the client for some reason sends an https: request directly
+  // instead of using the CONNECT method, we should handle it gracefully.
+  let protocol;
+  if (url.protocol === "http:") {
+    protocol = http;
+  } else if (url.protocol === "https:") {
+    protocol = https;
+  } else {
+    res.writeHead(502);
+    res.end(`Bad Gateway: Unsupported protocol ${url.protocol}`);
+    return;
+  }
+
+  const proxyRequest = protocol
+    .request(
+      req.url,
+      { method: req.method, headers: req.headers },
+      (proxyRes) => {
+        if (!proxyRes.statusCode) {
+          ui.writeError("Safe-chain: Proxy response missing status code");
+          res.writeHead(500);
+          res.end("Internal Server Error");
+          return;
+        }
+
+        res.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(res);
+
+        proxyRes.on("error", () => {
+          // Proxy response stream error
+          // Clean up client response stream
+          if (res.writable) {
+            res.end();
+          }
+        });
+
+        proxyRes.on("close", () => {
+          // Clean up if the proxy response stream closes
+          if (res.writable) {
+            res.end();
+          }
+        });
+      }
+    )
+    .on("error", (err) => {
+      if (!res.headersSent) {
+        res.writeHead(502);
+        res.end(`Bad Gateway: ${err.message}`);
+      } else {
+        // Headers already sent, just destroy the response
+        res.destroy();
+      }
+    });
+
+  req.on("error", () => {
+    // Client request stream error
+    // Abort the proxy request
+    proxyRequest.destroy();
+  });
+
+  res.on("error", () => {
+    // Client response stream error (client disconnected)
+    // Clean up proxy streams
+    proxyRequest.destroy();
+  });
+
+  res.on("close", () => {
+    // Client disconnected
+    // Abort the proxy request to avoid unnecessary work
+    proxyRequest.destroy();
+  });
+
+  req.pipe(proxyRequest);
+}

package/src/registryProxy/registryProxy.js

@@ -0,0 +1,184 @@
+import * as http from "http";
+import { tunnelRequest } from "./tunnelRequestHandler.js";
+import { mitmConnect } from "./mitmRequestHandler.js";
+import { handleHttpProxyRequest } from "./plainHttpProxy.js";
+import { getCaCertPath } from "./certUtils.js";
+import { ui } from "../environment/userInteraction.js";
+import chalk from "chalk";
+import { createInterceptorForUrl } from "./interceptors/createInterceptorForEcoSystem.js";
+import { getHasSuppressedVersions } from "./interceptors/npm/modifyNpmInfo.js";
+
+const SERVER_STOP_TIMEOUT_MS = 1000;
+/**
+ * @type {{port: number | null, blockedRequests: {packageName: string, version: string, url: string}[]}}
+ */
+const state = {
+  port: null,
+  blockedRequests: [],
+};
+
+export function createSafeChainProxy() {
+  const server = createProxyServer();
+
+  return {
+    startServer: () => startServer(server),
+    stopServer: () => stopServer(server),
+    verifyNoMaliciousPackages,
+    hasSuppressedVersions: getHasSuppressedVersions,
+  };
+}
+
+/**
+ * @returns {Record<string, string>}
+ */
+function getSafeChainProxyEnvironmentVariables() {
+  if (!state.port) {
+    return {};
+  }
+
+  return {
+    HTTPS_PROXY: `http://localhost:${state.port}`,
+    GLOBAL_AGENT_HTTP_PROXY: `http://localhost:${state.port}`,
+    NODE_EXTRA_CA_CERTS: getCaCertPath(),
+  };
+}
+
+/**
+ * @param {Record<string, string | undefined>} env
+ *
+ * @returns {Record<string, string>}
+ */
+export function mergeSafeChainProxyEnvironmentVariables(env) {
+  const proxyEnv = getSafeChainProxyEnvironmentVariables();
+
+  for (const key of Object.keys(env)) {
+    // If we were to simply copy all env variables, we might overwrite
+    // the proxy settings set by safe-chain when casing varies (e.g. http_proxy vs HTTP_PROXY)
+    // So we only copy the variable if it's not already set in a different case
+    const upperKey = key.toUpperCase();
+
+    if (!proxyEnv[upperKey] && env[key]) {
+      proxyEnv[key] = env[key];
+    }
+  }
+
+  return proxyEnv;
+}
+
+function createProxyServer() {
+  const server = http.createServer(
+    // This handles direct HTTP requests (non-CONNECT requests)
+    // This is normally http-only traffic, but we also handle
+    // https for clients that don't properly use CONNECT
+    handleHttpProxyRequest
+  );
+
+  // This handles HTTPS requests via the CONNECT method
+  server.on("connect", handleConnect);
+
+  return server;
+}
+
+/**
+ * @param {import("http").Server} server
+ *
+ * @returns {Promise<void>}
+ */
+function startServer(server) {
+  return new Promise((resolve, reject) => {
+    // Passing port 0 makes the OS assign an available port
+    server.listen(0, () => {
+      const address = server.address();
+      if (address && typeof address === "object") {
+        state.port = address.port;
+        resolve();
+      } else {
+        reject(new Error("Failed to start proxy server"));
+      }
+    });
+
+    server.on("error", (err) => {
+      reject(err);
+    });
+  });
+}
+
+/**
+ * @param {import("http").Server} server
+ *
+ * @returns {Promise<void>}
+ */
+function stopServer(server) {
+  return new Promise((resolve) => {
+    try {
+      server.close(() => {
+        resolve();
+      });
+    } catch {
+      resolve();
+    }
+    setTimeout(() => resolve(), SERVER_STOP_TIMEOUT_MS);
+  });
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ *
+ * @returns {void}
+ */
+function handleConnect(req, clientSocket, head) {
+  // CONNECT method is used for HTTPS requests
+  // It establishes a tunnel to the server identified by the request URL
+
+  const interceptor = createInterceptorForUrl(req.url || "");
+
+  if (interceptor) {
+    // Subscribe to malware blocked events
+    interceptor.on("malwareBlocked", (event) => {
+      onMalwareBlocked(event.packageName, event.version, event.url);
+    });
+
+    mitmConnect(req, clientSocket, interceptor);
+  } else {
+    // For other hosts, just tunnel the request to the destination tcp socket
+    ui.writeVerbose(`Safe-chain: Tunneling request to ${req.url}`);
+    tunnelRequest(req, clientSocket, head);
+  }
+}
+
+/**
+ *
+ * @param {string} packageName
+ * @param {string} version
+ * @param {string} url
+ */
+function onMalwareBlocked(packageName, version, url) {
+  state.blockedRequests.push({ packageName, version, url });
+}
+
+function verifyNoMaliciousPackages() {
+  if (state.blockedRequests.length === 0) {
+    // No malicious packages were blocked, so nothing to block
+    return true;
+  }
+
+  ui.emptyLine();
+
+  ui.writeInformation(
+    `Safe-chain: ${chalk.bold(
+      `blocked ${state.blockedRequests.length} malicious package downloads`
+    )}:`
+  );
+
+  for (const req of state.blockedRequests) {
+    ui.writeInformation(` - ${req.packageName}@${req.version} (${req.url})`);
+  }
+
+  ui.emptyLine();
+  ui.writeExitWithoutInstallingMaliciousPackages();
+  ui.emptyLine();
+
+  return false;
+}

package/src/registryProxy/tunnelRequestHandler.js

@@ -0,0 +1,180 @@
+import * as net from "net";
+import { ui } from "../environment/userInteraction.js";
+
+/** @type {string[]} */
+let timedoutEndpoints = [];
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ *
+ * @returns {void}
+ */
+export function tunnelRequest(req, clientSocket, head) {
+  const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+
+  if (httpsProxy) {
+    // If an HTTPS proxy is set, tunnel the request via the proxy
+    // This is the system proxy, not the safe-chain proxy
+    // The package manager will run via the safe-chain proxy
+    // The safe-chain proxy will then send the request to the system proxy
+    // Typical flow: package manager -> safe-chain proxy -> system proxy -> destination
+
+    // There are 2 processes involved in this:
+    // 1. Safe-chain process: has HTTPS_PROXY set to system proxy
+    // 2. Package manager process: has HTTPS_PROXY set to safe-chain proxy
+
+    tunnelRequestViaProxy(req, clientSocket, head, httpsProxy);
+  } else {
+    tunnelRequestToDestination(req, clientSocket, head);
+  }
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ *
+ * @returns {void}
+ */
+function tunnelRequestToDestination(req, clientSocket, head) {
+  const { port, hostname } = new URL(`http://${req.url}`);
+
+  if (timedoutEndpoints.includes(hostname)) {
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    ui.writeError(
+      `Safe-chain: Closing connection because previously timedout connect to ${hostname}`
+    );
+    return;
+  }
+
+  const serverSocket = net.connect(
+    Number.parseInt(port) || 443,
+    hostname,
+    () => {
+      clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+      serverSocket.write(head);
+      serverSocket.pipe(clientSocket);
+      clientSocket.pipe(serverSocket);
+    }
+  );
+
+  const connectTimeout = getConnectTimeout(hostname);
+  serverSocket.setTimeout(connectTimeout);
+  serverSocket.on("timeout", () => {
+    timedoutEndpoints.push(hostname);
+    ui.writeError(
+      `Safe-chain: connect to ${hostname}:${port} timed out after ${connectTimeout}ms`
+    );
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+  });
+
+  clientSocket.on("error", () => {
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'error' event will cause node to throw and crash.
+    if (serverSocket.writable) {
+      serverSocket.end();
+    }
+  });
+
+  serverSocket.on("error", (err) => {
+    ui.writeError(
+      `Safe-chain: error connecting to ${hostname}:${port} - ${err.message}`
+    );
+    if (clientSocket.writable) {
+      clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    }
+  });
+}
+
+/**
+ * @param {import("http").IncomingMessage} req
+ * @param {import("http").ServerResponse} clientSocket
+ * @param {Buffer} head
+ * @param {string} proxyUrl
+ */
+function tunnelRequestViaProxy(req, clientSocket, head, proxyUrl) {
+  const { port, hostname } = new URL(`http://${req.url}`);
+  const proxy = new URL(proxyUrl);
+
+  // Connect to proxy server
+  const proxySocket = net.connect({
+    host: proxy.hostname,
+    port: Number.parseInt(proxy.port) || 80,
+  });
+
+  proxySocket.on("connect", () => {
+    // Send CONNECT request to proxy
+    const connectRequest = [
+      `CONNECT ${hostname}:${port || 443} HTTP/1.1`,
+      `Host: ${hostname}:${port || 443}`,
+      "",
+      "",
+    ].join("\r\n");
+
+    proxySocket.write(connectRequest);
+  });
+
+  let isConnected = false;
+  proxySocket.once("data", (data) => {
+    const response = data.toString();
+
+    // Check if CONNECT succeeded (HTTP/1.1 200)
+    if (response.startsWith("HTTP/1.1 200")) {
+      isConnected = true;
+      clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+      proxySocket.write(head);
+      proxySocket.pipe(clientSocket);
+      clientSocket.pipe(proxySocket);
+    } else {
+      ui.writeError(
+        `Safe-chain: proxy CONNECT failed: ${response.split("\r\n")[0]}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+      }
+      if (proxySocket.writable) {
+        proxySocket.end();
+      }
+    }
+  });
+
+  proxySocket.on("error", (err) => {
+    if (!isConnected) {
+      ui.writeError(
+        `Safe-chain: error connecting to proxy ${proxy.hostname}:${
+          proxy.port || 8080
+        } - ${err.message}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+      }
+    } else {
+      ui.writeError(
+        `Safe-chain: proxy socket error after connection - ${err.message}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end();
+      }
+    }
+  });
+
+  clientSocket.on("error", () => {
+    if (proxySocket.writable) {
+      proxySocket.end();
+    }
+  });
+}
+
+const imdsEndpoints = [
+  "metadata.google.internal",
+  "metadata.goog",
+  "169.254.169.254",
+];
+function getConnectTimeout(/** @type {string} */ host) {
+  if (imdsEndpoints.includes(host)) {
+    return 3000;
+  }
+  return 30000;
+}