npm - @aikidosec/safe-chain - Versions diffs - 0.0.4-connect-timeout-beta - Mend

@aikidosec/safe-chain 0.0.4-connect-timeout-beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/LICENSE +674 -0
package/README.md +257 -0
package/bin/aikido-bun.js +14 -0
package/bin/aikido-bunx.js +14 -0
package/bin/aikido-npm.js +14 -0
package/bin/aikido-npx.js +14 -0
package/bin/aikido-pip.js +20 -0
package/bin/aikido-pip3.js +21 -0
package/bin/aikido-pnpm.js +14 -0
package/bin/aikido-pnpx.js +14 -0
package/bin/aikido-python.js +30 -0
package/bin/aikido-python3.js +30 -0
package/bin/aikido-uv.js +16 -0
package/bin/aikido-yarn.js +14 -0
package/bin/safe-chain.js +190 -0
package/docs/banner.svg +151 -0
package/docs/npm-to-binary-migration.md +89 -0
package/docs/safe-package-manager-demo.gif +0 -0
package/docs/safe-package-manager-demo.png +0 -0
package/docs/shell-integration.md +149 -0
package/package.json +68 -0
package/src/api/aikido.js +54 -0
package/src/api/npmApi.js +71 -0
package/src/config/cliArguments.js +138 -0
package/src/config/configFile.js +192 -0
package/src/config/environmentVariables.js +7 -0
package/src/config/settings.js +100 -0
package/src/environment/environment.js +14 -0
package/src/environment/userInteraction.js +122 -0
package/src/main.js +104 -0
package/src/packagemanager/_shared/matchesCommand.js +18 -0
package/src/packagemanager/bun/createBunPackageManager.js +53 -0
package/src/packagemanager/currentPackageManager.js +72 -0
package/src/packagemanager/npm/createPackageManager.js +72 -0
package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js +74 -0
package/src/packagemanager/npm/dependencyScanner/nullScanner.js +9 -0
package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js +144 -0
package/src/packagemanager/npm/runNpmCommand.js +25 -0
package/src/packagemanager/npm/utils/abbrevs-generated.js +359 -0
package/src/packagemanager/npm/utils/cmd-list.js +174 -0
package/src/packagemanager/npm/utils/npmCommands.js +34 -0
package/src/packagemanager/npx/createPackageManager.js +15 -0
package/src/packagemanager/npx/dependencyScanner/commandArgumentScanner.js +43 -0
package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js +130 -0
package/src/packagemanager/npx/runNpxCommand.js +25 -0
package/src/packagemanager/pip/createPackageManager.js +21 -0
package/src/packagemanager/pip/pipSettings.js +30 -0
package/src/packagemanager/pip/runPipCommand.js +175 -0
package/src/packagemanager/pnpm/createPackageManager.js +57 -0
package/src/packagemanager/pnpm/dependencyScanner/commandArgumentScanner.js +35 -0
package/src/packagemanager/pnpm/parsing/parsePackagesFromArguments.js +109 -0
package/src/packagemanager/pnpm/runPnpmCommand.js +36 -0
package/src/packagemanager/uv/createUvPackageManager.js +18 -0
package/src/packagemanager/uv/runUvCommand.js +71 -0
package/src/packagemanager/yarn/createPackageManager.js +41 -0
package/src/packagemanager/yarn/dependencyScanner/commandArgumentScanner.js +35 -0
package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js +128 -0
package/src/packagemanager/yarn/runYarnCommand.js +41 -0
package/src/registryProxy/certBundle.js +95 -0
package/src/registryProxy/certUtils.js +128 -0
package/src/registryProxy/http-utils.js +17 -0
package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js +25 -0
package/src/registryProxy/interceptors/interceptorBuilder.js +140 -0
package/src/registryProxy/interceptors/npm/modifyNpmInfo.js +177 -0
package/src/registryProxy/interceptors/npm/npmInterceptor.js +47 -0
package/src/registryProxy/interceptors/npm/parseNpmPackageUrl.js +43 -0
package/src/registryProxy/interceptors/pipInterceptor.js +115 -0
package/src/registryProxy/mitmRequestHandler.js +231 -0
package/src/registryProxy/plainHttpProxy.js +95 -0
package/src/registryProxy/registryProxy.js +184 -0
package/src/registryProxy/tunnelRequestHandler.js +180 -0
package/src/scanning/audit/index.js +129 -0
package/src/scanning/index.js +82 -0
package/src/scanning/malwareDatabase.js +131 -0
package/src/shell-integration/helpers.js +213 -0
package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh +22 -0
package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd +24 -0
package/src/shell-integration/setup-ci.js +170 -0
package/src/shell-integration/setup.js +127 -0
package/src/shell-integration/shellDetection.js +37 -0
package/src/shell-integration/startup-scripts/include-python/init-fish.fish +94 -0
package/src/shell-integration/startup-scripts/include-python/init-posix.sh +81 -0
package/src/shell-integration/startup-scripts/include-python/init-pwsh.ps1 +115 -0
package/src/shell-integration/startup-scripts/init-fish.fish +71 -0
package/src/shell-integration/startup-scripts/init-posix.sh +58 -0
package/src/shell-integration/startup-scripts/init-pwsh.ps1 +92 -0
package/src/shell-integration/supported-shells/bash.js +134 -0
package/src/shell-integration/supported-shells/fish.js +77 -0
package/src/shell-integration/supported-shells/powershell.js +73 -0
package/src/shell-integration/supported-shells/windowsPowershell.js +73 -0
package/src/shell-integration/supported-shells/zsh.js +74 -0
package/src/shell-integration/teardown.js +64 -0
package/src/utils/safeSpawn.js +137 -0
package/tsconfig.json +21 -0

package/src/main.js ADDED Viewed

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+import { scanCommand, shouldScanCommand } from "./scanning/index.js";
+import { ui } from "./environment/userInteraction.js";
+import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+import { initializeCliArguments } from "./config/cliArguments.js";
+import { createSafeChainProxy } from "./registryProxy/registryProxy.js";
+import chalk from "chalk";
+import { getAuditStats } from "./scanning/audit/index.js";
+/**
+ * @param {string[]} args
+ * @returns {Promise<number>}
+ */
+export async function main(args) {
+  process.on("SIGINT", handleProcessTermination);
+  process.on("SIGTERM", handleProcessTermination);
+  const proxy = createSafeChainProxy();
+  await proxy.startServer();
+  // Global error handlers to log unhandled errors
+  process.on("uncaughtException", (error) => {
+    ui.writeError(`Safe-chain: Uncaught exception: ${error.message}`);
+    ui.writeVerbose(`Stack trace: ${error.stack}`);
+    process.exit(1);
+  });
+  process.on("unhandledRejection", (reason) => {
+    ui.writeError(`Safe-chain: Unhandled promise rejection: ${reason}`);
+    if (reason instanceof Error) {
+      ui.writeVerbose(`Stack trace: ${reason.stack}`);
+    }
+    process.exit(1);
+  });
+  try {
+    // This parses all the --safe-chain arguments and removes them from the args array
+    args = initializeCliArguments(args);
+    if (shouldScanCommand(args)) {
+      const commandScanResult = await scanCommand(args);
+      // Returning the exit code back to the caller allows the promise
+      //  to be awaited in the bin files and return the correct exit code
+      if (commandScanResult !== 0) {
+        return commandScanResult;
+      }
+    }
+    // Buffer logs during package manager execution, this avoids interleaving
+    //  of logs from the package manager and safe-chain
+    // Not doing this could cause bugs to disappear when cursor movement codes
+    //  are written by the package manager while safe-chain is writing logs
+    ui.startBufferingLogs();
+    const packageManagerResult = await getPackageManager().runCommand(args);
+    // Write all buffered logs
+    ui.writeBufferedLogsAndStopBuffering();
+    if (!proxy.verifyNoMaliciousPackages()) {
+      return 1;
+    }
+    const auditStats = getAuditStats();
+    if (auditStats.totalPackages > 0) {
+      ui.emptyLine();
+      ui.writeInformation(
+        `${chalk.green("✔")} Safe-chain: Scanned ${
+          auditStats.totalPackages
+        } packages, no malware found.`
+      );
+    }
+    if (proxy.hasSuppressedVersions()) {
+      ui.writeInformation(
+        `${chalk.yellow(
+          "ℹ"
+        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`
+      );
+      ui.writeInformation(
+        `  To disable this check, use: ${chalk.cyan(
+          "--safe-chain-skip-minimum-package-age"
+        )}`
+      );
+    }
+    // Returning the exit code back to the caller allows the promise
+    //  to be awaited in the bin files and return the correct exit code
+    return packageManagerResult.status;
+  } catch (/** @type any */ error) {
+    ui.writeError("Failed to check for malicious packages:", error.message);
+    // Returning the exit code back to the caller allows the promise
+    //  to be awaited in the bin files and return the correct exit code
+    return 1;
+  } finally {
+    await proxy.stopServer();
+  }
+}
+function handleProcessTermination() {
+  ui.writeBufferedLogsAndStopBuffering();
+}

package/src/packagemanager/_shared/matchesCommand.js ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * @param {string[]} args
+ * @param {...string} commandArgs
+ * @returns {boolean}
+ */
+export function matchesCommand(args, ...commandArgs) {
+  if (args.length < commandArgs.length) {
+    return false;
+  }
+  for (var i = 0; i < commandArgs.length; i++) {
+    if (args[i].toLowerCase() !== commandArgs[i].toLowerCase()) {
+      return false;
+    }
+  }
+  return true;
+}

package/src/packagemanager/bun/createBunPackageManager.js ADDED Viewed

@@ -0,0 +1,53 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createBunPackageManager() {
+  return {
+    runCommand: (args) => runBunCommand("bun", args),
+    // For bun, we use the proxy-only approach to block package downloads,
+    // so we don't need to analyze commands.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createBunxPackageManager() {
+  return {
+    runCommand: (args) => runBunCommand("bunx", args),
+    // For bunx, we use the proxy-only approach to block package downloads,
+    // so we don't need to analyze commands.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}
+/**
+ * @param {string} command
+ * @param {string[]} args
+ * @returns {Promise<{status: number}>}
+ */
+async function runBunCommand(command, args) {
+  try {
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env: mergeSafeChainProxyEnvironmentVariables(process.env),
+    });
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}

package/src/packagemanager/currentPackageManager.js ADDED Viewed

@@ -0,0 +1,72 @@
+import {
+  createBunPackageManager,
+  createBunxPackageManager,
+} from "./bun/createBunPackageManager.js";
+import { createNpmPackageManager } from "./npm/createPackageManager.js";
+import { createNpxPackageManager } from "./npx/createPackageManager.js";
+import {
+  createPnpmPackageManager,
+  createPnpxPackageManager,
+} from "./pnpm/createPackageManager.js";
+import { createYarnPackageManager } from "./yarn/createPackageManager.js";
+import { createPipPackageManager } from "./pip/createPackageManager.js";
+import { createUvPackageManager } from "./uv/createUvPackageManager.js";
+/**
+ * @type {{packageManagerName: PackageManager | null}}
+ */
+const state = {
+  packageManagerName: null,
+};
+/**
+ * @typedef {Object} GetDependencyUpdatesResult
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+/**
+ * @typedef {Object} PackageManager
+ * @property {(args: string[]) => Promise<{ status: number }>} runCommand
+ * @property {(args: string[]) => boolean} isSupportedCommand
+ * @property {(args: string[]) => Promise<GetDependencyUpdatesResult[]> | GetDependencyUpdatesResult[]} getDependencyUpdatesForCommand
+ */
+/**
+ * @param {string} packageManagerName
+ *
+ * @return {PackageManager}
+ */
+export function initializePackageManager(packageManagerName) {
+  if (packageManagerName === "npm") {
+    state.packageManagerName = createNpmPackageManager();
+  } else if (packageManagerName === "npx") {
+    state.packageManagerName = createNpxPackageManager();
+  } else if (packageManagerName === "yarn") {
+    state.packageManagerName = createYarnPackageManager();
+  } else if (packageManagerName === "pnpm") {
+    state.packageManagerName = createPnpmPackageManager();
+  } else if (packageManagerName === "pnpx") {
+    state.packageManagerName = createPnpxPackageManager();
+  } else if (packageManagerName === "bun") {
+    state.packageManagerName = createBunPackageManager();
+  } else if (packageManagerName === "bunx") {
+    state.packageManagerName = createBunxPackageManager();
+  } else if (packageManagerName === "pip") {
+    state.packageManagerName = createPipPackageManager();
+  } else if (packageManagerName === "uv") {
+    state.packageManagerName = createUvPackageManager();
+  } else {
+    throw new Error("Unsupported package manager: " + packageManagerName);
+  }
+  return state.packageManagerName;
+}
+export function getPackageManager() {
+  if (!state.packageManagerName) {
+    throw new Error("Package manager not initialized.");
+  }
+  return state.packageManagerName;
+}

package/src/packagemanager/npm/createPackageManager.js ADDED Viewed

@@ -0,0 +1,72 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { nullScanner } from "./dependencyScanner/nullScanner.js";
+import { runNpm } from "./runNpmCommand.js";
+import {
+  getNpmCommandForArgs,
+  npmInstallCommand,
+  npmUpdateCommand,
+  npmExecCommand,
+} from "./utils/npmCommands.js";
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createNpmPackageManager() {
+  /**
+   * @param {string[]} args
+   *
+   * @returns {boolean}
+   */
+  function isSupportedCommand(args) {
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
+    return scanner.shouldScan(args);
+  }
+  /**
+   * @param {string[]} args
+   *
+   * @returns {ReturnType<import("../currentPackageManager.js").PackageManager["getDependencyUpdatesForCommand"]>}
+   */
+  function getDependencyUpdatesForCommand(args) {
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
+    return scanner.scan(args);
+  }
+  return {
+    runCommand: runNpm,
+    isSupportedCommand,
+    getDependencyUpdatesForCommand,
+  };
+}
+/**
+ * @type {Record<string, import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner>}
+ */
+const commandScannerMapping = {
+  [npmInstallCommand]: commandArgumentScanner(),
+  [npmUpdateCommand]: commandArgumentScanner(),
+  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
+};
+/**
+ *
+ * @param {Record<string, import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner>} scanners
+ * @param {string[]} args
+ *
+ * @returns {import("./dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner}
+ */
+function findDependencyScannerForCommand(scanners, args) {
+  const command = getNpmCommandForArgs(args);
+  if (!command) {
+    return nullScanner();
+  }
+  const scanner = scanners[command];
+  return scanner ? scanner : nullScanner();
+}

package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js ADDED Viewed

@@ -0,0 +1,74 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromInstallArgs } from "../parsing/parsePackagesFromInstallArgs.js";
+import { hasDryRunArg } from "../utils/npmCommands.js";
+/**
+ * @typedef {Object} ScanResult
+ * @property {string} name
+ * @property {string} version
+ * @property {string} type
+ */
+/**
+ * @typedef {Object} ScannerOptions
+ * @property {boolean} [ignoreDryRun]
+ */
+/**
+ * @typedef {Object} CommandArgumentScanner
+ * @property {(args: string[]) => Promise<ScanResult[]> | ScanResult[]} scan
+ * @property {(args: string[]) => boolean} shouldScan
+ */
+/**
+ * @param {ScannerOptions} [opts]
+ *
+ * @returns {CommandArgumentScanner}
+ */
+export function commandArgumentScanner(opts) {
+  const ignoreDryRun = opts?.ignoreDryRun ?? false;
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: (args) => shouldScanDependencies(args, ignoreDryRun),
+  };
+}
+/**
+ * @param {string[]} args
+ * @returns {Promise<ScanResult[]>}
+ */
+function scanDependencies(args) {
+  return checkChangesFromArgs(args);
+}
+/**
+ * @param {string[]} args
+ * @param {boolean} ignoreDryRun
+ * @returns {boolean}
+ */
+function shouldScanDependencies(args, ignoreDryRun) {
+  return ignoreDryRun || !hasDryRunArg(args);
+}
+/**
+ * @param {string[]} args
+ * @returns {Promise<ScanResult[]>}
+ */
+export async function checkChangesFromArgs(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromInstallArgs(args);
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+  return changes;
+}

package/src/packagemanager/npm/dependencyScanner/nullScanner.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * @returns {import("./commandArgumentScanner.js").CommandArgumentScanner}
+ */
+export function nullScanner() {
+  return {
+    scan: () => [],
+    shouldScan: () => false,
+  };
+}

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js ADDED Viewed

@@ -0,0 +1,144 @@
+/**
+ * @typedef {Object} PackageDetail
+ * @property {string} name
+ * @property {string} version
+ */
+/**
+ * @typedef {Object} NpmOption
+ * @property {string} name
+ * @property {number} numberOfParameters
+ */
+/**
+ * @param {string[]} args
+ * @returns {PackageDetail[]}
+ */
+export function parsePackagesFromInstallArgs(args) {
+  /** @type {{name: string, version: string | null}[]} */
+  const changes  = [];
+  let defaultTag = "latest";
+  // Skip first argument (install command)
+  for (let i = 1; i < args.length; i++) {
+    const arg = args[i];
+    const npmOption = getNpmOption(arg);
+    if (npmOption) {
+      // If the option has a parameter, skip the next argument as well
+      i += npmOption.numberOfParameters;
+      // it a tag is specified, set the default tag
+      if (npmOption.name === "--tag") {
+        defaultTag = args[i];
+      }
+      continue;
+    }
+    const packageDetails = parsePackagename(arg);
+    if (packageDetails) {
+      changes.push(packageDetails);
+      continue;
+    }
+  }
+  for (const change of changes) {
+    if (!change.version) {
+      change.version = defaultTag;
+    }
+  }
+  return /** @type {PackageDetail[]} */ (changes);
+}
+/**
+ * @param {string} arg
+ * @returns {NpmOption | undefined}
+ */
+function getNpmOption(arg) {
+  if (isNpmOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+  // Arguments starting with "-" or "--" are considered npm options
+  if (arg.startsWith("-")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+  return undefined;
+}
+/**
+ * @param {string} arg
+ * @returns {boolean}
+ */
+function isNpmOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--access",
+    "--auth-type",
+    "--cache",
+    "--fetch-retries",
+    "--fetch-retry-mintimeout",
+    "--fetch-retry-maxtimeout",
+    "--fetch-retry-factor",
+    "--fetch-timeout",
+    "--https-proxy",
+    "--include",
+    "--location",
+    "--lockfile-version",
+    "--loglevel",
+    "--omit",
+    "--proxy",
+    "--registry",
+    "--replace-registry-host",
+    "--tag",
+    "--user-config",
+    "--workspace",
+  ];
+  return optionsWithParameters.includes(arg);
+}
+/**
+ * @param {string} arg
+ * @returns {{name: string, version: string | null}}
+ */
+function parsePackagename(arg) {
+  arg = removeAlias(arg);
+  const lastAtIndex = arg.lastIndexOf("@");
+  let name, version;
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = null;
+  }
+  return {
+    name,
+    version,
+  };
+}
+/**
+ * @param {string} arg
+ * @returns {string}
+ */
+function removeAlias(arg) {
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/npm/runNpmCommand.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+/**
+ * @param {string[]} args
+ *
+ * @returns {Promise<{status: number}>}
+ */
+export async function runNpm(args) {
+  try {
+    const result = await safeSpawn("npm", args, {
+      stdio: "inherit",
+      env: mergeSafeChainProxyEnvironmentVariables(process.env),
+    });
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}