@aikidosec/safe-chain 0.0.4-connect-timeout-beta

package/src/packagemanager/uv/runUvCommand.js

@@ -0,0 +1,71 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+
+/**
+ * Sets CA bundle environment variables used by Python libraries and uv.
+ * 
+ * @param {NodeJS.ProcessEnv} env - Env object
+ * @param {string} combinedCaPath - Path to the combined CA bundle
+ */
+function setUvCaBundleEnvironmentVariables(env, combinedCaPath) {
+  // SSL_CERT_FILE: Used by Python SSL libraries and underlying HTTP clients
+  if (env.SSL_CERT_FILE) {
+    ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
+  }
+  env.SSL_CERT_FILE = combinedCaPath;
+
+  // REQUESTS_CA_BUNDLE: Used by the requests library (which uv may use internally)
+  if (env.REQUESTS_CA_BUNDLE) {
+    ui.writeWarning("Safe-chain: User defined REQUESTS_CA_BUNDLE found in environment. It will be overwritten.");
+  }
+  env.REQUESTS_CA_BUNDLE = combinedCaPath;
+
+  // PIP_CERT: Some underlying pip operations may respect this
+  if (env.PIP_CERT) {
+    ui.writeWarning("Safe-chain: User defined PIP_CERT found in environment. It will be overwritten.");
+  }
+  env.PIP_CERT = combinedCaPath;
+}
+
+/**
+ * Runs a uv command with safe-chain's certificate bundle and proxy configuration.
+ * 
+ * uv respects standard environment variables for proxy and TLS configuration:
+ * - HTTP_PROXY / HTTPS_PROXY: Proxy settings
+ * - SSL_CERT_FILE / REQUESTS_CA_BUNDLE: CA bundle for TLS verification
+ * 
+ * Unlike pip (which requires a temporary config file for cert configuration), uv directly
+ * honors environment variables, so no config/ini file is needed.
+ * 
+ * @param {string} command - The uv command to execute (typically 'uv')
+ * @param {string[]} args - Command line arguments to pass to uv
+ * @returns {Promise<{status: number}>} Exit status of the uv command
+ */
+export async function runUv(command, args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+
+    const combinedCaPath = getCombinedCaBundlePath();
+    setUvCaBundleEnvironmentVariables(env, combinedCaPath);
+
+    // Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration
+    // These are already set by mergeSafeChainProxyEnvironmentVariables
+
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env,
+    });
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError(`Error executing command: ${error.message}`);
+      ui.writeError(`Is '${command}' installed and available on your system?`);
+      return { status: 1 };
+    }
+  }
+}

package/src/packagemanager/yarn/createPackageManager.js

@@ -0,0 +1,41 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { runYarnCommand } from "./runYarnCommand.js";
+
+const scanner = commandArgumentScanner();
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createYarnPackageManager() {
+  return {
+    runCommand: runYarnCommand,
+    isSupportedCommand: (args) =>
+      matchesCommand(args, "add") ||
+      matchesCommand(args, "global", "add") ||
+      matchesCommand(args, "install") ||
+      matchesCommand(args, "up") ||
+      matchesCommand(args, "upgrade") ||
+      matchesCommand(args, "global", "upgrade") ||
+      matchesCommand(args, "dlx"),
+    getDependencyUpdatesForCommand: (args) => scanner.scan(args),
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @param {...string} commandArgs
+ * @returns {boolean}
+ */
+function matchesCommand(args, ...commandArgs) {
+  if (args.length < commandArgs.length) {
+    return false;
+  }
+
+  for (var i = 0; i < commandArgs.length; i++) {
+    if (args[i].toLowerCase() !== commandArgs[i].toLowerCase()) {
+      return false;
+    }
+  }
+
+  return true;
+}

package/src/packagemanager/yarn/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,35 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromArguments } from "../parsing/parsePackagesFromArguments.js";
+
+/**
+ * @returns {import("../../npm/dependencyScanner/commandArgumentScanner.js").CommandArgumentScanner}
+ */
+export function commandArgumentScanner() {
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: () => true, // There's no dry run for yarn, so we always scan
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<import("../../npm/dependencyScanner/commandArgumentScanner.js").ScanResult[]>}
+ */
+async function scanDependencies(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromArguments(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+
+  return changes;
+}

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js

@@ -0,0 +1,128 @@
+/**
+ * @param {string[]} args
+ * @returns {{name: string, version: string}[]}
+ */
+export function parsePackagesFromArguments(args) {
+  const changes = [];
+  let defaultTag = "latest";
+
+  for (let i = 1; i < args.length; i++) {
+    const arg = args[i];
+    const option = getOption(arg);
+
+    if (option) {
+      // If the option has a parameter, skip the next argument as well
+      i += option.numberOfParameters;
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg, defaultTag);
+    if (packageDetails) {
+      changes.push(packageDetails);
+    }
+  }
+
+  return changes;
+}
+
+/**
+ * @param {string} arg
+ *
+ * @returns {{name: string, numberOfParameters: number} | undefined}
+ */
+function getOption(arg) {
+  if (isOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered options
+  // except for "--package=" which contains the package name
+  if (arg.startsWith("-")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {string} arg
+ *
+ * @returns {boolean}
+ */
+function isOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--use-yarnrc",
+    "--link-folder",
+    "--global-folder",
+    "--modules-folder",
+    "--preferred-cache-folder",
+    "--cache-folder",
+    "--mutex",
+    "--cwd",
+    "--proxy",
+    "--https-proxy",
+    "--registry",
+    "--network-concurrency",
+    "--network-timeout",
+    "--scripts-prepend-node-path",
+    "--otp",
+  ];
+
+  return optionsWithParameters.includes(arg);
+}
+
+/**
+ * @param {string} arg
+ * @param {string} defaultTag
+ *
+ * @returns {{name: string, version: string}}
+ */
+function parsePackagename(arg, defaultTag) {
+  // format can be --package=name@version
+  // in that case, we need to remove the --package= part
+  if (arg.startsWith("--package=")) {
+    arg = arg.slice(10);
+  }
+
+  arg = removeAlias(arg);
+
+  // Split at the last "@" to separate the package name and version
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = defaultTag; // No tag specified (eg: "http-server"), use the default tag
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+/**
+ * @param {string} arg
+ * @returns {string}
+ */
+function removeAlias(arg) {
+  // removes the alias.
+  // Eg.: server@npm:http-server@latest becomes http-server@latest
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/yarn/runYarnCommand.js

@@ -0,0 +1,41 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+
+/**
+ * @param {string[]} args
+ *
+ * @returns {Promise<{status: number}>}
+ */
+export async function runYarnCommand(args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+    await fixYarnProxyEnvironmentVariables(env);
+
+    const result = await safeSpawn("yarn", args, {
+      stdio: "inherit",
+      env,
+    });
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}
+
+/**
+ * @param {Record<string, string>} env
+ *
+ * @returns {Promise<void>}
+ */
+async function fixYarnProxyEnvironmentVariables(env) {
+  // Yarn ignores standard proxy environment variable HTTPS_PROXY
+  // It does respect NODE_EXTRA_CA_CERTS for custom CA certificates though.
+  // Don't use YARN_HTTPS_CA_FILE_PATH or YARN_CA_FILE_PATH though, it causes yarn to ignore all system CAs
+
+  env.YARN_HTTPS_PROXY = env.HTTPS_PROXY;
+}

package/src/registryProxy/certBundle.js

@@ -0,0 +1,95 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+// @ts-ignore - certifi has no type definitions
+import certifi from "certifi";
+import tls from "node:tls";
+import { X509Certificate } from "node:crypto";
+import { getCaCertPath } from "./certUtils.js";
+
+/**
+ * Check if a PEM string contains only parsable cert blocks.
+ * @param {string} pem - PEM-encoded certificate string
+ * @returns {boolean}
+ */
+function isParsable(pem) {
+  if (!pem || typeof pem !== "string") return false;
+  const begin = "-----BEGIN CERTIFICATE-----";
+  const end = "-----END CERTIFICATE-----";
+  const blocks = [];
+
+  let idx = 0;
+  while (idx < pem.length) {
+    const start = pem.indexOf(begin, idx);
+    if (start === -1) break;
+    const stop = pem.indexOf(end, start + begin.length);
+    if (stop === -1) break;
+    const blockEnd = stop + end.length;
+    blocks.push(pem.slice(start, blockEnd));
+    idx = blockEnd;
+  }
+
+  if (blocks.length === 0) return false;
+  try {
+    for (const b of blocks) {
+      // throw if invalid
+      new X509Certificate(b);
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/** @type {string | null} */
+let cachedPath = null;
+
+/**
+ * Build a combined CA bundle for Python and Node HTTPS flows.
+ * - Includes Safe Chain CA (for MITM of known registries)
+ * - Includes Mozilla roots via npm `certifi` (public HTTPS)
+ * - Includes Node's built-in root certificates as a portable fallback
+ * @returns {string} Path to the combined CA bundle PEM file
+ */
+export function getCombinedCaBundlePath() {
+  if (cachedPath && fs.existsSync(cachedPath)) return cachedPath;
+
+  // Concatenate PEM files
+  const parts = [];
+
+  // 1) Safe Chain CA (for MITM'd registries)
+  const safeChainPath = getCaCertPath();
+  try {
+    const safeChainPem = fs.readFileSync(safeChainPath, "utf8");
+    if (isParsable(safeChainPem)) parts.push(safeChainPem.trim());
+  } catch {
+    // Ignore if Safe Chain CA is not available
+  }
+
+  // 2) certifi (Mozilla CA bundle for all public HTTPS)
+  try {
+    const certifiPem = fs.readFileSync(certifi, "utf8");
+    if (isParsable(certifiPem)) parts.push(certifiPem.trim());
+  } catch {
+    // Ignore if certifi bundle is not available
+  }
+
+  // 3) Node's built-in root certificates
+  try {
+    const nodeRoots = tls.rootCertificates;
+    if (Array.isArray(nodeRoots) && nodeRoots.length) {
+      for (const rootPem of nodeRoots) {
+        if (typeof rootPem !== "string") continue;
+        if (isParsable(rootPem)) parts.push(rootPem.trim());
+      }
+    }
+  } catch {
+    // Ignore if unavailable
+  }
+
+  const combined = parts.filter(Boolean).join("\n");
+  const target = path.join(os.tmpdir(), "safe-chain-ca-bundle.pem");
+  fs.writeFileSync(target, combined, { encoding: "utf8" });
+  cachedPath = target;
+  return cachedPath;
+}

package/src/registryProxy/certUtils.js

@@ -0,0 +1,128 @@
+import forge from "node-forge";
+import path from "path";
+import fs from "fs";
+import os from "os";
+
+const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
+const ca = loadCa();
+
+const certCache = new Map();
+
+export function getCaCertPath() {
+  return path.join(certFolder, "ca-cert.pem");
+}
+
+/**
+ * @param {string} hostname
+ * @returns {{privateKey: string, certificate: string}}
+ */
+export function generateCertForHost(hostname) {
+  let existingCert = certCache.get(hostname);
+  if (existingCert) {
+    return existingCert;
+  }
+
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setHours(cert.validity.notBefore.getHours() + 1);
+
+  const attrs = [{ name: "commonName", value: hostname }];
+  cert.setSubject(attrs);
+  cert.setIssuer(ca.certificate.subject.attributes);
+  cert.setExtensions([
+    {
+      name: "subjectAltName",
+      altNames: [
+        {
+          type: 2, // DNS
+          value: hostname,
+        },
+      ],
+    },
+    {
+      name: "keyUsage",
+      digitalSignature: true,
+      keyEncipherment: true,
+    },
+    {
+      /*
+        extKeyUsage serverAuth is required for TLS server authentication.
+        This is especially important for Python venv environments, which use their own
+        certificate validation logic and will reject certificates lacking the serverAuth EKU.
+        Adding serverAuth does not impact other usages
+      */
+      name: "extKeyUsage",
+      serverAuth: true,
+    },
+  ]);
+  cert.sign(ca.privateKey, forge.md.sha256.create());
+
+  const result = {
+    privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+    certificate: forge.pki.certificateToPem(cert),
+  };
+
+  certCache.set(hostname, result);
+
+  return result;
+}
+
+function loadCa() {
+  const keyPath = path.join(certFolder, "ca-key.pem");
+  const certPath = path.join(certFolder, "ca-cert.pem");
+
+  if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+    const privateKeyPem = fs.readFileSync(keyPath, "utf8");
+    const certPem = fs.readFileSync(certPath, "utf8");
+    const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);
+    const certificate = forge.pki.certificateFromPem(certPem);
+
+    // Don't return a cert that is valid for less than 1 hour
+    const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000);
+    if (certificate.validity.notAfter > oneHourFromNow) {
+      return { privateKey, certificate };
+    }
+  }
+
+  const { privateKey, certificate } = generateCa();
+  fs.mkdirSync(certFolder, { recursive: true });
+  fs.writeFileSync(keyPath, forge.pki.privateKeyToPem(privateKey));
+  fs.writeFileSync(certPath, forge.pki.certificateToPem(certificate));
+  return { privateKey, certificate };
+}
+
+function generateCa() {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setDate(cert.validity.notBefore.getDate() + 1);
+
+  const attrs = [{ name: "commonName", value: "safe-chain proxy" }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    {
+      name: "basicConstraints",
+      cA: true,
+    },
+    {
+      name: "keyUsage",
+      keyCertSign: true,
+      digitalSignature: true,
+      keyEncipherment: true,
+    },
+  ]);
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  return {
+    privateKey: keys.privateKey,
+    certificate: cert,
+  };
+}

package/src/registryProxy/http-utils.js

@@ -0,0 +1,17 @@
+/**
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string} headerName
+ */
+export function getHeaderValueAsString(headers, headerName) {
+  if (!headers) {
+    return undefined;
+  }
+
+  let header = headers[headerName];
+
+  if (Array.isArray(header)) {
+    return header.join(", ");
+  }
+
+  return header;
+}

package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js

@@ -0,0 +1,25 @@
+import {
+  ECOSYSTEM_JS,
+  ECOSYSTEM_PY,
+  getEcoSystem,
+} from "../../config/settings.js";
+import { npmInterceptorForUrl } from "./npm/npmInterceptor.js";
+import { pipInterceptorForUrl } from "./pipInterceptor.js";
+
+/**
+ * @param {string} url
+ * @returns {import("./interceptorBuilder.js").Interceptor | undefined}
+ */
+export function createInterceptorForUrl(url) {
+  const ecosystem = getEcoSystem();
+
+  if (ecosystem === ECOSYSTEM_JS) {
+    return npmInterceptorForUrl(url);
+  }
+
+  if (ecosystem === ECOSYSTEM_PY) {
+    return pipInterceptorForUrl(url);
+  }
+
+  return undefined;
+}