@aikidosec/safe-chain 0.0.4-connect-timeout-beta

package/src/scanning/audit/index.js

@@ -0,0 +1,129 @@
+import { ui } from "../../environment/userInteraction.js";
+import {
+  MALWARE_STATUS_MALWARE,
+  openMalwareDatabase,
+} from "../malwareDatabase.js";
+
+/**
+ * @typedef {Object} PackageChange
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+
+/**
+ * @typedef {Object} AuditResult
+ * @property {PackageChange[]} allowedChanges
+ * @property {(PackageChange & {reason: string})[]} disallowedChanges
+ * @property {boolean} isAllowed
+ */
+
+/**
+ * @typedef {Object} AuditStats
+ * @property {number} totalPackages
+ * @property {number} safePackages
+ * @property {number} malwarePackages
+ */
+
+/**
+ * @type AuditStats
+ */
+const auditStats = {
+  totalPackages: 0,
+  safePackages: 0,
+  malwarePackages: 0,
+};
+
+/**
+ * @returns {AuditStats}
+ */
+export function getAuditStats() {
+  return auditStats;
+}
+
+/**
+ *
+ * @param {string | undefined} name
+ * @param {string | undefined} version
+ * @returns {Promise<boolean>}
+ */
+export async function isMalwarePackage(name, version) {
+  if (!name || !version) {
+    return false;
+  }
+
+  const auditResult = await auditChanges([{ name, version, type: "add" }]);
+
+  return !auditResult.isAllowed;
+}
+
+/**
+ * @param {PackageChange[]} changes
+ *
+ * @returns {Promise<AuditResult>}
+ */
+export async function auditChanges(changes) {
+  const allowedChanges = [];
+  const disallowedChanges = [];
+
+  var malwarePackages = await getPackagesWithMalware(
+    changes.filter(
+      (change) => change.type === "add" || change.type === "change"
+    )
+  );
+
+  for (const change of changes) {
+    const malwarePackage = malwarePackages.find(
+      (pkg) => pkg.name === change.name && pkg.version === change.version
+    );
+
+    if (malwarePackage) {
+      auditStats.malwarePackages += 1;
+      ui.writeVerbose(
+        `Safe-chain: Package ${change.name}@${change.version} is marked as malware: ${malwarePackage.status}`
+      );
+      disallowedChanges.push({ ...change, reason: malwarePackage.status });
+    } else {
+      auditStats.safePackages += 1;
+      ui.writeVerbose(
+        `Safe-chain: Package ${change.name}@${change.version} is clean`
+      );
+      allowedChanges.push(change);
+    }
+
+    auditStats.totalPackages += 1;
+  }
+
+  const auditResults = {
+    allowedChanges,
+    disallowedChanges,
+    isAllowed: disallowedChanges.length === 0,
+  };
+
+  return auditResults;
+}
+
+/**
+ * @param {{name: string, version: string, type: string}[]} changes
+ * @returns {Promise<{name: string, version: string, status: string}[]>}
+ */
+async function getPackagesWithMalware(changes) {
+  if (changes.length === 0) {
+    return [];
+  }
+
+  const malwareDb = await openMalwareDatabase();
+  let allVulnerablePackages = [];
+
+  for (const change of changes) {
+    if (malwareDb.isMalware(change.name, change.version)) {
+      allVulnerablePackages.push({
+        name: change.name,
+        version: change.version,
+        status: MALWARE_STATUS_MALWARE,
+      });
+    }
+  }
+
+  return allVulnerablePackages;
+}

package/src/scanning/index.js

@@ -0,0 +1,82 @@
+import { auditChanges } from "./audit/index.js";
+import { getScanTimeout } from "../config/configFile.js";
+import { setTimeout } from "timers/promises";
+import chalk from "chalk";
+import { getPackageManager } from "../packagemanager/currentPackageManager.js";
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {boolean}
+ */
+export function shouldScanCommand(args) {
+  if (!args || args.length === 0) {
+    return false;
+  }
+
+  return getPackageManager().isSupportedCommand(args);
+}
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {Promise<number>}
+ */
+export async function scanCommand(args) {
+  if (!shouldScanCommand(args)) {
+    return 0;
+  }
+
+  let timedOut = false;
+  /** @type {import("./audit/index.js").AuditResult | undefined} */
+  let audit;
+
+  await Promise.race([
+    (async () => {
+      const packageManager = getPackageManager();
+      const changes = await packageManager.getDependencyUpdatesForCommand(args);
+
+      if (timedOut) {
+        return;
+      }
+
+      audit = await auditChanges(changes);
+    })(),
+    setTimeout(getScanTimeout()).then(() => {
+      timedOut = true;
+    }),
+  ]);
+
+  if (timedOut) {
+    throw new Error("Timeout exceeded while scanning npm install command.");
+  }
+
+  if (!audit || audit.isAllowed) {
+    return 0;
+  } else {
+    printMaliciousChanges(audit.disallowedChanges);
+    onMalwareFound();
+    return 1;
+  }
+}
+
+/**
+ * @param {import("./audit/index.js").PackageChange[]} changes
+ * @return {void}
+ */
+function printMaliciousChanges(changes) {
+  ui.writeInformation(
+    chalk.red("✖") + " Safe-chain: " + chalk.bold("Malicious changes detected:")
+  );
+
+  for (const change of changes) {
+    ui.writeInformation(` - ${change.name}@${change.version}`);
+  }
+}
+
+function onMalwareFound() {
+  ui.emptyLine();
+  ui.writeExitWithoutInstallingMaliciousPackages();
+  ui.emptyLine();
+}

package/src/scanning/malwareDatabase.js

@@ -0,0 +1,131 @@
+import {
+  fetchMalwareDatabase,
+  fetchMalwareDatabaseVersion,
+} from "../api/aikido.js";
+import {
+  readDatabaseFromLocalCache,
+  writeDatabaseToLocalCache,
+} from "../config/configFile.js";
+import { ui } from "../environment/userInteraction.js";
+import { getEcoSystem, ECOSYSTEM_PY } from "../config/settings.js";
+
+/**
+ * @typedef {Object} MalwareDatabase
+ * @property {function(string, string): string} getPackageStatus
+ * @property {function(string, string): boolean} isMalware
+ */
+
+/** @type {MalwareDatabase | null} */
+let cachedMalwareDatabase = null;
+
+/**
+ * Normalize package name for comparison.
+ * For Python packages (PEP-503): lowercase and replace _, -, . with -
+ * For js packages: keep as-is (case-sensitive)
+ * @param {string} name
+ * @returns {string}
+ */
+function normalizePackageName(name) {
+  const ecosystem = getEcoSystem();
+  if (ecosystem === ECOSYSTEM_PY) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+
+  return name;
+}
+
+export async function openMalwareDatabase() {
+  if (cachedMalwareDatabase) {
+    return cachedMalwareDatabase;
+  }
+
+  const malwareDatabase = await getMalwareDatabase();
+
+  /**
+   * @param {string} name
+   * @param {string} version
+   * @returns {string}
+   */
+  function getPackageStatus(name, version) {
+    const normalizedName = normalizePackageName(name);
+    const packageData = malwareDatabase.find(
+      (pkg) => {
+        const normalizedPkgName = normalizePackageName(pkg.package_name);
+        return normalizedPkgName === normalizedName &&
+          (pkg.version === version || pkg.version === "*");
+      }
+    );
+
+    if (!packageData) {
+      return MALWARE_STATUS_OK;
+    }
+
+    return packageData.reason;
+  }
+
+  // This implicitly caches the malware database
+  //  that's closed over by the getPackageStatus function
+  cachedMalwareDatabase = {
+    getPackageStatus,
+    isMalware: (name, version) => {
+      const status = getPackageStatus(name, version);
+      return isMalwareStatus(status);
+    },
+  };
+  return cachedMalwareDatabase;
+}
+
+/**
+ * @returns {Promise<import("../api/aikido.js").MalwarePackage[]>}
+ */
+async function getMalwareDatabase() {
+  const { malwareDatabase: cachedDatabase, version: cachedVersion } =
+    readDatabaseFromLocalCache();
+
+  try {
+    if (cachedDatabase) {
+      const currentVersion = await fetchMalwareDatabaseVersion();
+      if (cachedVersion === currentVersion) {
+        return cachedDatabase;
+      }
+    }
+
+    const { malwareDatabase, version } = await fetchMalwareDatabase();
+
+    if (version) {
+      // Only cache the malware database when we have a version.
+      writeDatabaseToLocalCache(malwareDatabase, version);
+      return malwareDatabase;
+    } else {
+      // We received a valid malware database, but the response
+      // did not contain an etag header with the version
+      ui.writeWarning(
+        "The malware database was downloaded, but could not be cached due to a missing version."
+      );
+      return malwareDatabase;
+    }
+  } catch (/** @type any */ error) {
+    if (cachedDatabase) {
+      ui.writeWarning(
+        "Failed to fetch the latest malware database. Using cached version."
+      );
+      return cachedDatabase;
+    }
+    throw error;
+  }
+}
+
+/**
+ * @param {string} status
+ *
+ * @returns {boolean}
+ */
+function isMalwareStatus(status) {
+  let malwareStatus = status.toUpperCase();
+  return malwareStatus === MALWARE_STATUS_MALWARE;
+}
+
+export const MALWARE_STATUS_OK = "OK";
+export const MALWARE_STATUS_MALWARE = "MALWARE";
+export const MALWARE_STATUS_TELEMETRY = "TELEMETRY";
+export const MALWARE_STATUS_PROTESTWARE = "PROTESTWARE";

package/src/shell-integration/helpers.js

@@ -0,0 +1,213 @@
+import { spawnSync } from "child_process";
+import * as os from "os";
+import fs from "fs";
+import path from "path";
+import { ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
+
+/**
+ * @typedef {Object} AikidoTool
+ * @property {string} tool
+ * @property {string} aikidoCommand
+ * @property {string} ecoSystem
+ * @property {string} internalPackageManagerName
+ */
+
+/**
+ * @type {AikidoTool[]}
+ */
+export const knownAikidoTools = [
+  {
+    tool: "npm",
+    aikidoCommand: "aikido-npm",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "npm",
+  },
+  {
+    tool: "npx",
+    aikidoCommand: "aikido-npx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "npx",
+  },
+  {
+    tool: "yarn",
+    aikidoCommand: "aikido-yarn",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "yarn",
+  },
+  {
+    tool: "pnpm",
+    aikidoCommand: "aikido-pnpm",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "pnpm",
+  },
+  {
+    tool: "pnpx",
+    aikidoCommand: "aikido-pnpx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "pnpx",
+  },
+  {
+    tool: "bun",
+    aikidoCommand: "aikido-bun",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "bun",
+  },
+  {
+    tool: "bunx",
+    aikidoCommand: "aikido-bunx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "bunx",
+  },
+  {
+    tool: "uv",
+    aikidoCommand: "aikido-uv",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "uv",
+  },
+  {
+    tool: "pip",
+    aikidoCommand: "aikido-pip",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "pip3",
+    aikidoCommand: "aikido-pip3",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "python",
+    aikidoCommand: "aikido-python",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  {
+    tool: "python3",
+    aikidoCommand: "aikido-python3",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pip",
+  },
+  // When adding a new tool here, also update the documentation for the new tool in the README.md
+];
+
+/**
+ * Returns a formatted string listing all supported package managers.
+ * Example: "npm, npx, yarn, pnpm, and pnpx commands"
+ */
+export function getPackageManagerList() {
+  const tools = knownAikidoTools.map((t) => t.tool);
+  if (tools.length <= 1) {
+    return `${tools[0] || ""} commands`;
+  }
+  if (tools.length === 2) {
+    return `${tools[0]} and ${tools[1]} commands`;
+  }
+  const lastTool = tools.pop();
+  return `${tools.join(", ")}, and ${lastTool} commands`;
+}
+
+/**
+ * @param {string} executableName
+ *
+ * @returns {boolean}
+ */
+export function doesExecutableExistOnSystem(executableName) {
+  if (os.platform() === "win32") {
+    const result = spawnSync("where", [executableName], { stdio: "ignore" });
+    return result.status === 0;
+  } else {
+    const result = spawnSync("which", [executableName], { stdio: "ignore" });
+    return result.status === 0;
+  }
+}
+
+/**
+ * @param {string} filePath
+ * @param {RegExp} pattern
+ * @param {string} [eol]
+ *
+ * @returns {void}
+ */
+export function removeLinesMatchingPattern(filePath, pattern, eol) {
+  if (!fs.existsSync(filePath)) {
+    return;
+  }
+
+  eol = eol || os.EOL;
+
+  const fileContent = fs.readFileSync(filePath, "utf-8");
+  const lines = fileContent.split(/\r?\n|\r|\u2028|\u2029/);
+  const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
+  fs.writeFileSync(filePath, updatedLines.join(eol), "utf-8");
+}
+
+const maxLineLength = 100;
+
+/**
+ * @param {string} line
+ * @param {RegExp} pattern
+ * @returns {boolean}
+ */
+function shouldRemoveLine(line, pattern) {
+  const isPatternMatch = pattern.test(line);
+
+  if (!isPatternMatch) {
+    return false;
+  }
+
+  if (line.length > maxLineLength) {
+    // safe-chain only adds lines shorter than maxLineLength
+    // so if the line is longer, it must be from a different
+    // source and could be dangerous to remove
+    return false;
+  }
+
+  if (
+    line.includes("\n") ||
+    line.includes("\r") ||
+    line.includes("\u2028") ||
+    line.includes("\u2029")
+  ) {
+    // If the line contains newlines, something has gone wrong in splitting
+    // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * @param {string} filePath
+ * @param {string} line
+ * @param {string} [eol]
+ *
+ * @returns {void}
+ */
+export function addLineToFile(filePath, line, eol) {
+  createFileIfNotExists(filePath);
+
+  eol = eol || os.EOL;
+
+  const fileContent = fs.readFileSync(filePath, "utf-8");
+  const updatedContent = fileContent + eol + line + eol;
+  fs.writeFileSync(filePath, updatedContent, "utf-8");
+}
+
+/**
+ * @param {string} filePath
+ *
+ * @returns {void}
+ */
+function createFileIfNotExists(filePath) {
+  if (fs.existsSync(filePath)) {
+    return;
+  }
+
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  fs.writeFileSync(filePath, "", "utf-8");
+}

package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+# Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+# This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+# Function to remove shim from PATH (POSIX-compliant)
+remove_shim_from_path() {
+    echo "$PATH" | sed "s|$HOME/.safe-chain/shims:||g"
+}
+
+if command -v safe-chain >/dev/null 2>&1; then
+  # Remove shim directory from PATH when calling {{AIKIDO_COMMAND}} to prevent infinite loops
+  PATH=$(remove_shim_from_path) exec safe-chain {{PACKAGE_MANAGER}} "$@"
+else
+  # Dynamically find original {{PACKAGE_MANAGER}} (excluding this shim directory)
+  original_cmd=$(PATH=$(remove_shim_from_path) command -v {{PACKAGE_MANAGER}})
+  if [ -n "$original_cmd" ]; then
+    exec "$original_cmd" "$@"
+  else
+    echo "Error: Could not find original {{PACKAGE_MANAGER}}" >&2
+    exit 1
+  fi
+fi

package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd

@@ -0,0 +1,24 @@
+@echo off
+REM Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+REM This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+REM Remove shim directory from PATH to prevent infinite loops
+set "SHIM_DIR=%USERPROFILE%\.safe-chain\shims"
+call set "CLEAN_PATH=%%PATH:%SHIM_DIR%;=%%"
+
+REM Check if aikido command is available with clean PATH
+set "PATH=%CLEAN_PATH%" & where safe-chain >nul 2>&1
+if %errorlevel%==0 (
+    REM Call aikido command with clean PATH
+    set "PATH=%CLEAN_PATH%" & safe-chain {{PACKAGE_MANAGER}} %*
+) else (
+    REM Find the original command with clean PATH
+    for /f "tokens=*" %%i in ('set "PATH=%CLEAN_PATH%" ^& where {{PACKAGE_MANAGER}} 2^>nul') do (
+        "%%i" %*
+        goto :eof
+    )
+    
+    REM If we get here, original command was not found
+    echo Error: Could not find original {{PACKAGE_MANAGER}} >&2
+    exit /b 1
+)