@aikidosec/safe-chain 0.0.4-connect-timeout-beta

package/src/api/aikido.js

@@ -0,0 +1,54 @@
+import fetch from "make-fetch-happen";
+import { getEcoSystem, ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
+
+const malwareDatabaseUrls = {
+  [ECOSYSTEM_JS]: "https://malware-list.aikido.dev/malware_predictions.json",
+  [ECOSYSTEM_PY]: "https://malware-list.aikido.dev/malware_pypi.json",
+};
+
+/**
+ * @typedef {Object} MalwarePackage
+ * @property {string} package_name
+ * @property {string} version
+ * @property {string} reason
+ */
+
+/**
+ * @returns {Promise<{malwareDatabase: MalwarePackage[], version: string | undefined}>}
+ */
+export async function fetchMalwareDatabase() {
+  const ecosystem = getEcoSystem();
+  const malwareDatabaseUrl = malwareDatabaseUrls[/** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)];
+  const response = await fetch(malwareDatabaseUrl);
+  if (!response.ok) {
+    throw new Error(`Error fetching ${ecosystem} malware database: ${response.statusText}`);
+  }
+
+  try {
+    let malwareDatabase = await response.json();
+    return {
+      malwareDatabase: malwareDatabase,
+      version: response.headers.get("etag") || undefined,
+    };
+  } catch (/** @type {any} */ error) {
+    throw new Error(`Error parsing malware database: ${error.message}`);
+  }
+}
+
+/**
+ * @returns {Promise<string | undefined>}
+ */
+export async function fetchMalwareDatabaseVersion() {
+  const ecosystem = getEcoSystem();
+  const malwareDatabaseUrl = malwareDatabaseUrls[/** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)];
+  const response = await fetch(malwareDatabaseUrl, {
+    method: "HEAD",
+  });
+
+  if (!response.ok) {
+    throw new Error(
+      `Error fetching ${ecosystem} malware database version: ${response.statusText}`
+    );
+  }
+  return response.headers.get("etag") || undefined;
+}

package/src/api/npmApi.js

@@ -0,0 +1,71 @@
+import * as semver from "semver";
+import * as npmFetch from "npm-registry-fetch";
+
+/**
+ * @param {string} packageName
+ * @param {string | null} [versionRange]
+ * @returns {Promise<string | null>}
+ */
+export async function resolvePackageVersion(packageName, versionRange) {
+  if (!versionRange) {
+    versionRange = "latest";
+  }
+
+  if (semver.valid(versionRange)) {
+    // The version is a fixed version, no need to resolve
+    return versionRange;
+  }
+
+  const packageInfo = (
+    /** @type {{"dist-tags"?: Record<string, string>, versions?: Record<string, unknown>} | null} */
+    await getPackageInfo(packageName)
+  );
+  if (!packageInfo) {
+    // It is possible that no version is found (could be a private package, or a package that doesn't exist)
+    // In this case, we return null to indicate that we couldn't resolve the version
+    return null;
+  }
+
+  const distTags = packageInfo["dist-tags"];
+  if (distTags && isDistTags(distTags) && distTags[versionRange]) {
+    // If the version range is a dist-tag, return the version associated with that tag
+    // e.g., "latest", "next", etc.
+    return distTags[versionRange];
+  }
+
+  if (!packageInfo.versions) {
+    return null;
+  }
+
+  // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
+  // This is useful for ranges like "^1.0.0" or "~2.3.4".
+  const availableVersions = Object.keys(packageInfo.versions);
+  const resolvedVersion = semver.maxSatisfying(availableVersions, versionRange);
+  if (resolvedVersion) {
+    return resolvedVersion;
+  }
+
+  // Nothing matched the range, return null
+  return null;
+}
+
+/**
+ *
+ * @param {unknown} distTags
+ * @returns {distTags is Record<string, string>}
+ */
+function isDistTags(distTags) {
+  return typeof distTags === "object";
+}
+
+/**
+ * @param {string} packageName
+ * @returns {Promise<Record<string, unknown> | null>}
+ */
+async function getPackageInfo(packageName) {
+  try {
+    return await npmFetch.json(packageName);
+  } catch {
+    return null;
+  }
+}

package/src/config/cliArguments.js

@@ -0,0 +1,138 @@
+/**
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, includePython: boolean}}
+ */
+const state = {
+  loggingLevel: undefined,
+  skipMinimumPackageAge: undefined,
+  minimumPackageAgeHours: undefined,
+  includePython: false,
+};
+
+const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
+
+/**
+ * @param {string[]} args
+ * @returns {string[]}
+ */
+export function initializeCliArguments(args) {
+  // Reset state on each call
+  state.loggingLevel = undefined;
+  state.skipMinimumPackageAge = undefined;
+  state.minimumPackageAgeHours = undefined;
+
+  const safeChainArgs = [];
+  const remainingArgs = [];
+
+  for (const arg of args) {
+    if (arg.toLowerCase().startsWith(SAFE_CHAIN_ARG_PREFIX)) {
+      safeChainArgs.push(arg);
+    } else {
+      remainingArgs.push(arg);
+    }
+  }
+
+  setLoggingLevel(safeChainArgs);
+  setSkipMinimumPackageAge(safeChainArgs);
+  setMinimumPackageAgeHours(safeChainArgs);
+  setIncludePython(args);
+
+  return remainingArgs;
+}
+
+/**
+ * @param {string[]} args
+ * @param {string} prefix
+ * @returns {string | undefined}
+ */
+function getLastArgEqualsValue(args, prefix) {
+  for (var i = args.length - 1; i >= 0; i--) {
+    const arg = args[i];
+    if (arg.toLowerCase().startsWith(prefix)) {
+      return arg.substring(prefix.length);
+    }
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setLoggingLevel(args) {
+  const safeChainLoggingArg = SAFE_CHAIN_ARG_PREFIX + "logging=";
+
+  const level = getLastArgEqualsValue(args, safeChainLoggingArg);
+  if (!level) {
+    return;
+  }
+  state.loggingLevel = level.toLowerCase();
+}
+
+export function getLoggingLevel() {
+  return state.loggingLevel;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setSkipMinimumPackageAge(args) {
+  const flagName = SAFE_CHAIN_ARG_PREFIX + "skip-minimum-package-age";
+
+  if (hasFlagArg(args, flagName)) {
+    state.skipMinimumPackageAge = true;
+  }
+}
+
+export function getSkipMinimumPackageAge() {
+  return state.skipMinimumPackageAge;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setMinimumPackageAgeHours(args) {
+  const argName = SAFE_CHAIN_ARG_PREFIX + "minimum-package-age-hours=";
+
+  const value = getLastArgEqualsValue(args, argName);
+  if (value) {
+    state.minimumPackageAgeHours = value;
+  }
+}
+
+/**
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return state.minimumPackageAgeHours;
+}
+
+/**
+ * @param {string[]} args
+ */
+function setIncludePython(args) {
+  // This flag doesn't have the --safe-chain- prefix because
+  // it is only used for the safe-chain command itself and
+  // not when wrapped around package manager commands.
+  state.includePython = hasFlagArg(args, "--include-python");
+}
+
+export function includePython() {
+  return state.includePython;
+}
+
+/**
+ * @param {string[]} args
+ * @param {string} flagName
+ * @returns {boolean}
+ */
+function hasFlagArg(args, flagName) {
+  for (const arg of args) {
+    if (arg.toLowerCase() === flagName.toLowerCase()) {
+      return true;
+    }
+  }
+  return false;
+}

package/src/config/configFile.js

@@ -0,0 +1,192 @@
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { ui } from "../environment/userInteraction.js";
+import { getEcoSystem } from "./settings.js";
+
+/**
+ * @typedef {Object} SafeChainConfig
+ *
+ * This should be a number, but can be anything because it is user-input.
+ * We cannot trust the input and should add the necessary validations.
+ * @property {unknown} scanTimeout
+ * @property {unknown} minimumPackageAgeHours
+ */
+
+/**
+ * @returns {number}
+ */
+export function getScanTimeout() {
+  const config = readConfigFile();
+
+  if (process.env.AIKIDO_SCAN_TIMEOUT_MS) {
+    const scanTimeout = validateTimeout(process.env.AIKIDO_SCAN_TIMEOUT_MS);
+    if (scanTimeout != null) {
+      return scanTimeout;
+    }
+  }
+
+  if (config.scanTimeout) {
+    const scanTimeout = validateTimeout(config.scanTimeout);
+    if (scanTimeout != null) {
+      return scanTimeout;
+    }
+  }
+
+  return 10000; // Default to 10 seconds
+}
+
+/**
+ *
+ * @param {any} value
+ * @returns {number?}
+ */
+function validateTimeout(value) {
+  const timeout = Number(value);
+  if (!Number.isNaN(timeout) && timeout > 0) {
+    return timeout;
+  }
+  return null;
+}
+
+/**
+ * @param {any} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  const hours = Number(value);
+  if (!Number.isNaN(hours)) {
+    return hours;
+  }
+  return undefined;
+}
+
+/**
+ * Gets the minimum package age in hours from config file only
+ * @returns {number | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  const config = readConfigFile();
+  if (config.minimumPackageAgeHours) {
+    const validated = validateMinimumPackageAgeHours(
+      config.minimumPackageAgeHours
+    );
+    if (validated !== undefined) {
+      return validated;
+    }
+  }
+  return undefined;
+}
+
+/**
+ * @param {import("../api/aikido.js").MalwarePackage[]} data
+ * @param {string | number} version
+ *
+ * @returns {void}
+ */
+export function writeDatabaseToLocalCache(data, version) {
+  try {
+    const databasePath = getDatabasePath();
+    const versionPath = getDatabaseVersionPath();
+
+    fs.writeFileSync(databasePath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write malware database to local cache, next time the database will be fetched from the server again."
+    );
+  }
+}
+
+/**
+ * @returns {{malwareDatabase: import("../api/aikido.js").MalwarePackage[] | null, version: string | null}}
+ */
+export function readDatabaseFromLocalCache() {
+  try {
+    const databasePath = getDatabasePath();
+    if (!fs.existsSync(databasePath)) {
+      return {
+        malwareDatabase: null,
+        version: null,
+      };
+    }
+    const data = fs.readFileSync(databasePath, "utf8");
+    const malwareDatabase = JSON.parse(data);
+    const versionPath = getDatabaseVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return {
+      malwareDatabase: malwareDatabase,
+      version: version,
+    };
+  } catch {
+    ui.writeWarning(
+      "Failed to read malware database from local cache. Continuing without local cache."
+    );
+    return {
+      malwareDatabase: null,
+      version: null,
+    };
+  }
+}
+
+/**
+ * @returns {SafeChainConfig}
+ */
+function readConfigFile() {
+  const configFilePath = getConfigFilePath();
+
+  if (!fs.existsSync(configFilePath)) {
+    return {
+      scanTimeout: undefined,
+      minimumPackageAgeHours: undefined,
+    };
+  }
+
+  try {
+    const data = fs.readFileSync(configFilePath, "utf8");
+    return JSON.parse(data);
+  } catch {
+    return {
+      scanTimeout: undefined,
+      minimumPackageAgeHours: undefined,
+    };
+  }
+}
+
+/**
+ * @returns {string}
+ */
+function getDatabasePath() {
+  const aikidoDir = getAikidoDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(aikidoDir, `malwareDatabase_${ecosystem}.json`);
+}
+
+function getDatabaseVersionPath() {
+  const aikidoDir = getAikidoDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(aikidoDir, `version_${ecosystem}.txt`);
+}
+
+/**
+ * @returns {string}
+ */
+function getConfigFilePath() {
+  return path.join(getAikidoDirectory(), "config.json");
+}
+
+/**
+ * @returns {string}
+ */
+function getAikidoDirectory() {
+  const homeDir = os.homedir();
+  const aikidoDir = path.join(homeDir, ".aikido");
+
+  if (!fs.existsSync(aikidoDir)) {
+    fs.mkdirSync(aikidoDir, { recursive: true });
+  }
+  return aikidoDir;
+}

package/src/config/environmentVariables.js

@@ -0,0 +1,7 @@
+/**
+ * Gets the minimum package age in hours from environment variable
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
+}

package/src/config/settings.js

@@ -0,0 +1,100 @@
+import * as cliArguments from "./cliArguments.js";
+import * as configFile from "./configFile.js";
+import * as environmentVariables from "./environmentVariables.js";
+
+export const LOGGING_SILENT = "silent";
+export const LOGGING_NORMAL = "normal";
+export const LOGGING_VERBOSE = "verbose";
+
+export function getLoggingLevel() {
+  const level = cliArguments.getLoggingLevel();
+
+  if (level === LOGGING_SILENT) {
+    return LOGGING_SILENT;
+  }
+
+  if (level === LOGGING_VERBOSE) {
+    return LOGGING_VERBOSE;
+  }
+
+  return LOGGING_NORMAL;
+}
+
+export const ECOSYSTEM_JS = "js";
+export const ECOSYSTEM_PY = "py";
+
+// Default to JavaScript ecosystem
+const ecosystemSettings = {
+  ecoSystem: ECOSYSTEM_JS,
+};
+
+/** @returns {string} - The current ecosystem setting (ECOSYSTEM_JS or ECOSYSTEM_PY) */
+export function getEcoSystem() {
+  return ecosystemSettings.ecoSystem;
+}
+/**
+ * @param {string} setting - The ecosystem to set (ECOSYSTEM_JS or ECOSYSTEM_PY)
+ */
+export function setEcoSystem(setting) {
+  ecosystemSettings.ecoSystem = setting;
+}
+
+const defaultMinimumPackageAge = 24;
+/** @returns {number} */
+export function getMinimumPackageAgeHours() {
+  // Priority 1: CLI argument
+  const cliValue = validateMinimumPackageAgeHours(
+    cliArguments.getMinimumPackageAgeHours()
+  );
+  if (cliValue !== undefined) {
+    return cliValue;
+  }
+
+  // Priority 2: Environment variable
+  const envValue = validateMinimumPackageAgeHours(
+    environmentVariables.getMinimumPackageAgeHours()
+  );
+  if (envValue !== undefined) {
+    return envValue;
+  }
+
+  // Priority 3: Config file
+  const configValue = configFile.getMinimumPackageAgeHours();
+  if (configValue !== undefined) {
+    return configValue;
+  }
+
+  return defaultMinimumPackageAge;
+}
+
+/**
+ * @param {string | undefined} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  if (!value) {
+    return undefined;
+  }
+
+  const numericValue = Number(value);
+  if (Number.isNaN(numericValue)) {
+    return undefined;
+  }
+
+  if (numericValue > 0) {
+    return numericValue;
+  }
+
+  return undefined;
+}
+
+const defaultSkipMinimumPackageAge = false;
+export function skipMinimumPackageAge() {
+  const cliValue = cliArguments.getSkipMinimumPackageAge();
+
+  if (cliValue === true) {
+    return true;
+  }
+
+  return defaultSkipMinimumPackageAge;
+}

package/src/environment/environment.js

@@ -0,0 +1,14 @@
+export function isCi() {
+  const ciEnvironments = [
+    "CI",
+    "TF_BUILD", // Azure devops does not set CI, but TF_BUILD
+  ];
+
+  for (const env of ciEnvironments) {
+    if (process.env[env]) {
+      return true;
+    }
+  }
+
+  return false;
+}

package/src/environment/userInteraction.js

@@ -0,0 +1,122 @@
+// oxlint-disable no-console
+import chalk from "chalk";
+import { isCi } from "./environment.js";
+import {
+  getLoggingLevel,
+  LOGGING_SILENT,
+  LOGGING_VERBOSE,
+} from "../config/settings.js";
+
+/**
+ * @type {{ bufferOutput: boolean, bufferedMessages:(() => void)[]}}
+ */
+const state = {
+  bufferOutput: false,
+  bufferedMessages: [],
+};
+
+function isSilentMode() {
+  return getLoggingLevel() === LOGGING_SILENT;
+}
+
+function isVerboseMode() {
+  return getLoggingLevel() === LOGGING_VERBOSE;
+}
+
+function emptyLine() {
+  if (isSilentMode()) return;
+
+  writeInformation("");
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeInformation(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
+  writeOrBuffer(() => console.log(message, ...optionalParams));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeWarning(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
+  if (!isCi()) {
+    message = chalk.yellow(message);
+  }
+  writeOrBuffer(() => console.warn(message, ...optionalParams));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeError(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  writeOrBuffer(() => console.error(message, ...optionalParams));
+}
+
+function writeExitWithoutInstallingMaliciousPackages() {
+  let message = "Safe-chain: Exiting without installing malicious packages.";
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  writeOrBuffer(() => console.error(message));
+}
+
+/**
+ * @param {string} message
+ * @param {...any} optionalParams
+ * @returns {void}
+ */
+function writeVerbose(message, ...optionalParams) {
+  if (!isVerboseMode()) return;
+
+  writeOrBuffer(() => console.log(message, ...optionalParams));
+}
+
+/**
+ *
+ * @param {() => void} messageFunction
+ */
+function writeOrBuffer(messageFunction) {
+  if (state.bufferOutput) {
+    state.bufferedMessages.push(messageFunction);
+  } else {
+    messageFunction();
+  }
+}
+
+function startBufferingLogs() {
+  state.bufferOutput = true;
+  state.bufferedMessages = [];
+}
+
+function writeBufferedLogsAndStopBuffering() {
+  state.bufferOutput = false;
+  for (const log of state.bufferedMessages) {
+    log();
+  }
+  state.bufferedMessages = [];
+}
+
+export const ui = {
+  writeVerbose,
+  writeInformation,
+  writeWarning,
+  writeError,
+  writeExitWithoutInstallingMaliciousPackages,
+  emptyLine,
+  startBufferingLogs,
+  writeBufferedLogsAndStopBuffering,
+};