@aikidosec/safe-chain 0.0.4-connect-timeout-beta

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js

@@ -0,0 +1,130 @@
+/**
+ * @param {string[]} args
+ *
+ * @returns {{name: string, version: string}[]}
+ */
+export function parsePackagesFromArguments(args) {
+  let defaultTag = "latest";
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    const option = getOption(arg);
+
+    if (option) {
+      // If the option has a parameter, skip the next argument as well
+      i += option.numberOfParameters;
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg, defaultTag);
+    if (packageDetails) {
+      return [packageDetails];
+    }
+  }
+
+  return [];
+}
+
+/**
+ * @param {string} arg
+ * @returns {{name: string, numberOfParameters: number} | undefined}
+ */
+function getOption(arg) {
+  if (isOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered options
+  // except for "--package=" which contains the package name
+  if (arg.startsWith("-") && !arg.startsWith("--package=")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {string} arg
+ * @returns {boolean}
+ */
+function isOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--access",
+    "--auth-type",
+    "--cache",
+    "--fetch-retries",
+    "--fetch-retry-mintimeout",
+    "--fetch-retry-maxtimeout",
+    "--fetch-retry-factor",
+    "--fetch-timeout",
+    "--https-proxy",
+    "--include",
+    "--location",
+    "--lockfile-version",
+    "--loglevel",
+    "--omit",
+    "--proxy",
+    "--registry",
+    "--replace-registry-host",
+    "--tag",
+    "--user-config",
+    "--workspace",
+  ];
+
+  return optionsWithParameters.includes(arg);
+}
+
+/**
+ * @param {string} arg
+ * @param {string} defaultTag
+ * @returns {{name: string, version: string}}
+ */
+function parsePackagename(arg, defaultTag) {
+  // format can be --package=name@version
+  // in that case, we need to remove the --package= part
+  if (arg.startsWith("--package=")) {
+    arg = arg.slice(10);
+  }
+
+  arg = removeAlias(arg);
+
+  // Split at the last "@" to separate the package name and version
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = defaultTag; // No tag specified (eg: "http-server"), use the default tag
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+/**
+ * @param {string} arg
+ * @returns {string}
+ */
+function removeAlias(arg) {
+  // removes the alias.
+  // Eg.: server@npm:http-server@latest becomes http-server@latest
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/npx/runNpxCommand.js

@@ -0,0 +1,25 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {Promise<{status: number}>}
+ */
+export async function runNpx(args) {
+  try {
+    const result = await safeSpawn("npx", args, {
+      stdio: "inherit",
+      env: mergeSafeChainProxyEnvironmentVariables(process.env),
+    });
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}

package/src/packagemanager/pip/createPackageManager.js

@@ -0,0 +1,21 @@
+import { runPip } from "./runPipCommand.js";
+import { getCurrentPipInvocation } from "./pipSettings.js";
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createPipPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      const invocation = getCurrentPipInvocation();
+      const fullArgs = [...invocation.args, ...args];
+      return runPip(invocation.command, fullArgs);
+    },
+    // For pip, rely solely on MITM proxy to detect/deny downloads from known registries.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}
+

package/src/packagemanager/pip/pipSettings.js

@@ -0,0 +1,30 @@
+export const PIP_PACKAGE_MANAGER = "pip";
+
+// All supported python/pip invocations for Safe Chain interception
+export const PIP_INVOCATIONS = {
+  PIP: { command: "pip", args: [] },
+  PIP3: { command: "pip3", args: [] },
+  PY_PIP: { command: "python", args: ["-m", "pip"] },
+  PY3_PIP: { command: "python3", args: ["-m", "pip"] },
+  PY_PIP3: { command: "python", args: ["-m", "pip3"] },
+  PY3_PIP3: { command: "python3", args: ["-m", "pip3"] }
+};
+
+/**
+ * @type {{ command: string, args: string[] }}
+ */
+let currentInvocation = PIP_INVOCATIONS.PY3_PIP; // Default to python3 -m pip
+
+/**
+ * @param {{ command: string, args: string[] }} invocation
+ */
+export function setCurrentPipInvocation(invocation) {
+  currentInvocation = invocation;
+}
+
+/**
+ * @returns {{ command: string, args: string[] }}
+ */
+export function getCurrentPipInvocation() {
+  return currentInvocation;
+}

package/src/packagemanager/pip/runPipCommand.js

@@ -0,0 +1,175 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import fs from "node:fs/promises";
+import fsSync from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import ini from "ini";
+
+/**
+ * Sets fallback CA bundle environment variables used by Python libraries.
+ * These are applied in addition to the PIP_CONFIG_FILE to ensure all Python
+ * network libraries respect the combined CA bundle, even if they don't read pip's config.
+ * 
+ * @param {NodeJS.ProcessEnv} env - Environment object to modify
+ * @param {string} combinedCaPath - Path to the combined CA bundle
+ */
+function setFallbackCaBundleEnvironmentVariables(env, combinedCaPath) {
+  // REQUESTS_CA_BUNDLE: Used by the popular 'requests' library
+  if (env.REQUESTS_CA_BUNDLE) {
+    ui.writeWarning("Safe-chain: User defined REQUESTS_CA_BUNDLE found in environment. It will be overwritten.");
+  }
+  env.REQUESTS_CA_BUNDLE = combinedCaPath;
+
+  // SSL_CERT_FILE: Used by some Python SSL libraries and urllib
+  if (env.SSL_CERT_FILE) {
+    ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
+  }
+  env.SSL_CERT_FILE = combinedCaPath;
+
+  // PIP_CERT: Pip's own environment variable for certificate verification
+  if (env.PIP_CERT) {
+    ui.writeWarning("Safe-chain: User defined PIP_CERT found in environment. It will be overwritten.");
+  }
+  env.PIP_CERT = combinedCaPath;
+}
+
+/**
+ * Runs a pip command with safe-chain's certificate bundle and proxy configuration.
+ * 
+ * Creates a temporary pip config file to configure:
+ * - Cert bundle for HTTPS verification
+ * - Proxy settings
+ * 
+ * If the user has an existing PIP_CONFIG_FILE, a new temporary config is created that merges
+ * their settings with safe-chain's, leaving the original file unchanged.
+ * 
+ * Special handling for commands that modify config/cache/state: PIP_CONFIG_FILE is NOT overridden to allow
+ * users to read/write persistent config. Only CA environment variables are set for these commands.
+ * 
+ * @param {string} command - The pip command to execute (e.g., 'pip3')
+ * @param {string[]} args - Command line arguments to pass to pip
+ * @returns {Promise<{status: number}>} Exit status of the pip command
+ */
+export async function runPip(command, args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+
+    // Always provide Python with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots)
+    // so that any network request made by pip, including those outside explicit CLI args,
+    // validates correctly under both MITM'd and tunneled HTTPS.
+    const combinedCaPath = getCombinedCaBundlePath();
+
+    // Commands that need access to persistent config/cache/state files
+    // These should not have PIP_CONFIG_FILE overridden as it would prevent them from
+    // reading/writing to the user's actual pip configuration and cache directories
+    const configRelatedCommands = ['config', 'cache', 'debug', 'completion'];
+    const isConfigRelatedCommand = args.length > 0 && configRelatedCommands.includes(args[0]);
+
+    // https://pip.pypa.io/en/stable/topics/https-certificates/ explains that the 'cert' param (which we're providing via INI file)
+    // will tell pip to use the provided CA bundle for HTTPS verification.
+
+    // Proxy settings: GLOBAL_AGENT_HTTP_PROXY is our safe-chain proxy (if active),
+    // otherwise fall back to user-defined HTTPS_PROXY or HTTP_PROXY environment variables
+    const proxy = env.GLOBAL_AGENT_HTTP_PROXY || env.HTTPS_PROXY || env.HTTP_PROXY || '';
+
+    const tmpDir = os.tmpdir();
+    const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`);
+    let cleanupConfigPath = null; // Track temp file for cleanup
+
+    if (isConfigRelatedCommand) {
+      ui.writeVerbose(`Safe-chain: Skipping PIP_CONFIG_FILE override for 'pip ${args[0]}' command to allow persistent config/cache access.`);
+      
+      // Still set the fallback CA bundle environment variables to avoid edge cases where a 
+      // plugin or extension triggers a network call during config introspection
+      // This can do no harm
+      setFallbackCaBundleEnvironmentVariables(env, combinedCaPath);
+      
+      const result = await safeSpawn(command, args, {
+        stdio: "inherit",
+        env,
+      });
+
+      return { status: result.status };
+    }
+
+    // Note: Setting PIP_CONFIG_FILE overrides all pip config levels (Global/User/Site) per pip's loading order
+    if (!env.PIP_CONFIG_FILE) {
+      /** @type {{ global: { cert: string, proxy?: string } }} */
+      const configObj = { global: { cert: combinedCaPath } };
+      if (proxy) {
+        configObj.global.proxy = proxy;
+      }
+      const pipConfig = ini.stringify(configObj);
+      await fs.writeFile(pipConfigPath, pipConfig);
+      env.PIP_CONFIG_FILE = pipConfigPath;
+      cleanupConfigPath = pipConfigPath;
+
+    } else if (fsSync.existsSync(env.PIP_CONFIG_FILE)) {
+      ui.writeVerbose("Safe-chain: Merging user provided PIP_CONFIG_FILE with safe-chain certificate and proxy settings.");
+      const userConfig = env.PIP_CONFIG_FILE;
+
+      // Read the existing config without modifying it
+      let content = await fs.readFile(userConfig, "utf-8");
+      const parsed = ini.parse(content);
+
+      // Ensure [global] section exists
+      parsed.global = parsed.global || {};
+
+      // Cert
+      if (typeof parsed.global.cert !== "undefined") {
+        ui.writeWarning("Safe-chain: User defined cert found in PIP_CONFIG_FILE. It will be overwritten in the temporary config.");
+      }
+      parsed.global.cert = combinedCaPath;
+
+      // Proxy
+      if (typeof parsed.global.proxy !== "undefined") {
+        ui.writeWarning("Safe-chain: User defined proxy found in PIP_CONFIG_FILE. It will be overwritten in the temporary config.");
+      }
+      if (proxy) {
+        parsed.global.proxy = proxy;
+      }
+ 
+      const updated = ini.stringify(parsed);
+
+      // Save to a new temp file to avoid overwriting user's original config
+      await fs.writeFile(pipConfigPath, updated, "utf-8");
+      env.PIP_CONFIG_FILE = pipConfigPath;
+      cleanupConfigPath = pipConfigPath;
+
+    } else {
+      // The user provided PIP_CONFIG_FILE does not exist on disk
+      // PIP will handle this as an error and inform the user
+    }
+
+    // Set fallback CA bundle environment variables for Python libraries that don't read pip config
+    setFallbackCaBundleEnvironmentVariables(env, combinedCaPath);
+
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env,
+    });
+
+    // Cleanup temporary config file if we created one
+    if (cleanupConfigPath) {
+      try {
+        await fs.unlink(cleanupConfigPath);
+      } catch {
+        // Ignore cleanup errors - the file may have already been deleted or is inaccessible
+        // Temp files in os.tmpdir() may eventually be cleaned by the OS, but timing varies by platform
+      }
+    }
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError(`Error executing command: ${error.message}`);
+      ui.writeError(`Is '${command}' installed and available on your system?`);
+      return { status: 1 };
+    }
+  }
+}

package/src/packagemanager/pnpm/createPackageManager.js

@@ -0,0 +1,57 @@
+import { matchesCommand } from "../_shared/matchesCommand.js";
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { runPnpmCommand } from "./runPnpmCommand.js";
+
+const scanner = commandArgumentScanner();
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createPnpmPackageManager() {
+  return {
+    runCommand: (args) => runPnpmCommand(args, "pnpm"),
+    isSupportedCommand: (args) =>
+      matchesCommand(args, "add") ||
+      matchesCommand(args, "update") ||
+      matchesCommand(args, "upgrade") ||
+      matchesCommand(args, "up") ||
+      matchesCommand(args, "install") ||
+      matchesCommand(args, "i") ||
+      // dlx does not always come in the first position
+      // eg: pnpm --package=yo --package=generator-webapp dlx yo webapp
+      // documentation: https://pnpm.io/cli/dlx#--package-name
+      args.includes("dlx"),
+    getDependencyUpdatesForCommand: (args) =>
+      getDependencyUpdatesForCommand(args, false),
+  };
+}
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createPnpxPackageManager() {
+  return {
+    runCommand: (args) => runPnpmCommand(args, "pnpx"),
+    isSupportedCommand: () => true,
+    getDependencyUpdatesForCommand: (args) =>
+      getDependencyUpdatesForCommand(args, true),
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @param {boolean} isPnpx
+ * @returns {ReturnType<import("../currentPackageManager.js").PackageManager["getDependencyUpdatesForCommand"]>}
+ */
+function getDependencyUpdatesForCommand(args, isPnpx) {
+  if (isPnpx) {
+    return scanner.scan(args);
+  }
+  if (args.includes("dlx")) {
+    // dlx is not always the first argument (eg: `pnpm --package=yo --package=generator-webapp dlx yo webapp`)
+    // so we need to filter it out instead of slicing the array
+    // documentation: https://pnpm.io/cli/dlx#--package-name
+    return scanner.scan(args.filter((arg) => arg !== "dlx"));
+  }
+  return scanner.scan(args.slice(1));
+}

package/src/packagemanager/pnpm/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,35 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromArguments } from "../parsing/parsePackagesFromArguments.js";
+
+/**
+ * @returns {import("../../npm/dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner}
+ */
+export function commandArgumentScanner() {
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: () => true, // There's no dry run for pnpm, so we always scan
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<import("../../npm/dependencyScanner/commandArgumentScanner.js").ScanResult[]>}
+ */
+async function scanDependencies(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromArguments(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+
+  return changes;
+}

package/src/packagemanager/pnpm/parsing/parsePackagesFromArguments.js

@@ -0,0 +1,109 @@
+/**
+ * @param {string[]} args
+ * @returns {{name: string, version: string}[]}
+ */
+export function parsePackagesFromArguments(args) {
+  const changes = [];
+  let defaultTag = "latest";
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    const option = getOption(arg);
+
+    if (option) {
+      // If the option has a parameter, skip the next argument as well
+      i += option.numberOfParameters;
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg, defaultTag);
+    if (packageDetails) {
+      changes.push(packageDetails);
+    }
+  }
+
+  return changes;
+}
+
+/**
+ * @param {string} arg
+ * @returns {{name: string, numberOfParameters: number} | undefined}
+ */
+function getOption(arg) {
+  if (isOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered options
+  // except for "--package=" which contains the package name
+  if (arg.startsWith("-") && !arg.startsWith("--package=")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {string} arg
+ * @returns {boolean}
+ */
+function isOptionWithParameter(arg) {
+  const optionsWithParameters = ["--C", "--dir"];
+
+  return optionsWithParameters.includes(arg);
+}
+
+/**
+ * @param {string} arg
+ * @param {string} defaultTag
+ * @returns {{name: string, version: string}}
+ */
+function parsePackagename(arg, defaultTag) {
+  // format can be --package=name@version
+  // in that case, we need to remove the --package= part
+  if (arg.startsWith("--package=")) {
+    arg = arg.slice(10);
+  }
+
+  arg = removeAlias(arg);
+
+  // Split at the last "@" to separate the package name and version
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@aikidosec/package-name")
+  if (lastAtIndex > 0) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = defaultTag; // No tag specified (eg: "http-server"), use the default tag
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+/**
+ * @param {string} arg
+ * @returns {string}
+ */
+function removeAlias(arg) {
+  // removes the alias.
+  // Eg.: server@npm:http-server@latest becomes http-server@latest
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/pnpm/runPnpmCommand.js

@@ -0,0 +1,36 @@
+import { ui } from "../../environment/userInteraction.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+
+/**
+ * @param {string[]} args
+ * @param {string} [toolName]
+ * @returns {Promise<{status: number}>}
+ */
+export async function runPnpmCommand(args, toolName = "pnpm") {
+  try {
+    let result;
+    if (toolName === "pnpm") {
+      result = await safeSpawn("pnpm", args, {
+        stdio: "inherit",
+        env: mergeSafeChainProxyEnvironmentVariables(process.env),
+      });
+    } else if (toolName === "pnpx") {
+      result = await safeSpawn("pnpx", args, {
+        stdio: "inherit",
+        env: mergeSafeChainProxyEnvironmentVariables(process.env),
+      });
+    } else {
+      throw new Error(`Unsupported tool name for aikido-pnpm: ${toolName}`);
+    }
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}

package/src/packagemanager/uv/createUvPackageManager.js

@@ -0,0 +1,18 @@
+import { runUv } from "./runUvCommand.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createUvPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      return runUv("uv", args);
+    },
+    // For uv, rely solely on MITM
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}