@aikidosec/safe-chain 1.0.0 → 1.0.10

package/.editorconfig

@@ -0,0 +1,8 @@
+
+[*]
+charset = utf-8
+insert_final_newline = true
+end_of_line = lf
+indent_style = space
+indent_size = 2
+max_line_length = 80

package/.github/workflows/build-and-release.yml

@@ -0,0 +1,41 @@
+name: Create Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org/"
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+
+      - name: Set version number
+        id: get_version
+        run: |
+          version="${{ github.ref_name }}"
+          echo "tag=$version" >> $GITHUB_OUTPUT
+
+      - name: Set the version
+        run: npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish to npm
+        run: |
+          echo "Publishing version ${{ steps.get_version.outputs.tag }} to NPM"
+          npm publish --access public
+        env:
+          NPM_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

package/.github/workflows/test-on-pr.yml

@@ -0,0 +1,28 @@
+name: Run Unit Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+      - name: Run ESLint
+        run: npm run lint

package/README.md

@@ -0,0 +1,55 @@
+# Aikido Safe Chain
+
+The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), and [yarn](https://yarnpkg.com/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, or yarn from downloading or running the malware.
+
+![demo](./safe-package-manager-demo.gif)
+
+## Installation
+
+To install the Aikido Safe Chain, you can use the following command:
+
+```shell
+npm i -g @aikidosec/safe-chain
+```
+
+Now you should be able to use the `aikido-npm`, `aikido-npx`, or `aikido-yarn` command instead of `npm`, `npx`, or `yarn`. Example: `aikido-npm install axios`, `aikido-yarn add lodash`.
+
+## Aliases in shell
+
+It is possible to create aliases in your shell startup script to make it easier to use the Aikido Safe Chain. This is useful if you want to use the Aikido Safe Chain as a drop-in replacement for **npm**, **npx**, or **yarn**. The aikido-npm, aikido-npx, and aikido-yarn commands will scan for malware and prompt you to exit if any is found. If not, they will run the original **npm**, **npx**, or **yarn** command.
+
+### Creating an alias
+
+The `add-aikido-aliases` command will add the aliases for **npm**, **npx**, and **yarn** to your shell startup script.
+
+To add aliases to your shell startup script, you can use the built-in command `aikido-npm add-aikido-aliases`:
+
+```shell
+# Example for bash
+aikido-npm add-aikido-aliases ~/.bashrc
+
+# Example for zsh
+aikido-npm add-aikido-aliases ~/.zshrc
+
+# Example for powershell
+aikido-npm add-aikido-aliases $PROFILE
+```
+
+This will create the aliases. The following table shows the aliases that will be created in the shell startup script:
+
+| Shell          | Startup script             | Npm Alias                               | Npx Alias                               | Yarn Alias                                |
+| -------------- | -------------------------- | --------------------------------------- | --------------------------------------- | ----------------------------------------- |
+| **Bash**       | ~/.bashrc                  | `alias npm='aikido-npm'`                | `alias npx='aikido-npx'`                | `alias yarn='aikido-yarn'`                |
+| **Zsh**        | ~/.zshrc                   | `alias npm='aikido-npm'`                | `alias npx='aikido-npx'`                | `alias yarn='aikido-yarn'`                |
+| **Ash**        | ~/.profile, ~/.ashrc       | `alias npm='aikido-npm'`                | `alias npx='aikido-npx'`                | `alias yarn='aikido-yarn'`                |
+| **Fish**       | ~/.config/fish/config.fish | `alias npm "aikido-npm"`                | `alias npx "aikido-npx"`                | `alias yarn "aikido-yarn"`                |
+| **Powershell** | $PROFILE                   | `Set-Alias -Name npm -Value aikido-npm` | `Set-Alias -Name npx -Value aikido-npx` | `Set-Alias -Name yarn -Value aikido-yarn` |
+
+After adding the alias, **the shell needs to restart in order to load the alias**.
+
+### Removing the alias
+
+To remove the added aliases, you can use the built-in commands of `aikido-npm`:
+
+- `aikido-npm remove-aikido-aliases file_name` (eg `~/.bashrc`, `~/.zshrc`, etc.)
+  This will remove the aliases if they are present in the file.

package/bin/aikido-npm.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "npm";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/bin/aikido-npx.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "npx";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/bin/aikido-yarn.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "yarn";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/eslint.config.js

@@ -0,0 +1,25 @@
+import js from "@eslint/js";
+import { defineConfig } from "@eslint/config-helpers";
+import globals from "globals";
+import importPlugin from "eslint-plugin-import";
+
+export default defineConfig([
+  {
+    files: ["**/*.{js,mjs,cjs,ts}"],
+    plugins: { js },
+    extends: ["js/recommended"],
+  },
+  {
+    files: ["**/*.{js,mjs,cjs,ts}"],
+    languageOptions: { globals: globals.node },
+  },
+  importPlugin.flatConfigs.recommended,
+  {
+    files: ["**/*.{js,mjs,cjs}"],
+    languageOptions: {
+      ecmaVersion: "latest",
+      sourceType: "module",
+    },
+    rules: {},
+  },
+]);

package/package.json

@@ -1,18 +1,40 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.0",
-  "scripts": {},
+  "version": "1.0.10",
+  "scripts": {
+    "test": "node --test --experimental-test-module-mocks **/*.spec.js",
+    "test:watch": "node --test --watch --experimental-test-module-mocks **/*.spec.js",
+    "lint": "eslint ."
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/AikidoSec/safe-npm.git"
   },
-  "bin": {},
+  "bin": {
+    "aikido-npm": "bin/aikido-npm.js",
+    "aikido-npx": "bin/aikido-npx.js",
+    "aikido-yarn": "bin/aikido-yarn.js"
+  },
   "type": "module",
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
-  "description": "The Aikido Safe Package Manager wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
-  "dependencies": {},
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
+  "dependencies": {
+    "@inquirer/prompts": "^7.4.1",
+    "abbrev": "^3.0.1",
+    "chalk": "^5.4.1",
+    "npm-registry-fetch": "^18.0.2",
+    "ora": "^8.2.0",
+    "semver": "^7.7.2"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.26.0",
+    "eslint": "^9.26.0",
+    "eslint-plugin-import": "^2.31.0",
+    "globals": "^16.1.0",
+    "typescript-eslint": "^8.32.0"
+  },
   "main": "eslint.config.js",
   "bugs": {
     "url": "https://github.com/AikidoSec/safe-npm/issues"

package/src/api/aikido.js

@@ -0,0 +1,31 @@
+const malwareDatabaseUrl =
+  "https://malware-list.aikido.dev/malware_predictions.json";
+
+export async function fetchMalwareDatabase() {
+  const response = await fetch(malwareDatabaseUrl);
+  if (!response.ok) {
+    throw new Error(`Error fetching malware database: ${response.statusText}`);
+  }
+
+  try {
+    let malwareDatabase = await response.json();
+    return {
+      malwareDatabase: malwareDatabase,
+      version: response.headers.get("etag") || undefined,
+    };
+  } catch (error) {
+    throw new Error(`Error parsing malware database: ${error.message}`);
+  }
+}
+
+export async function fetchMalwareDatabaseVersion() {
+  const response = await fetch(malwareDatabaseUrl, {
+    method: "HEAD",
+  });
+  if (!response.ok) {
+    throw new Error(
+      `Error fetching malware database version: ${response.statusText}`
+    );
+  }
+  return response.headers.get("etag") || undefined;
+}

package/src/api/npmApi.js

@@ -0,0 +1,46 @@
+import * as semver from "semver";
+import * as npmFetch from "npm-registry-fetch";
+
+export async function resolvePackageVersion(packageName, versionRange) {
+  if (!versionRange) {
+    versionRange = "latest";
+  }
+
+  if (semver.valid(versionRange)) {
+    // The version is a fixed version, no need to resolve
+    return versionRange;
+  }
+
+  const packageInfo = await getPackageInfo(packageName);
+  if (!packageInfo) {
+    // It is possible that no version is found (could be a private package, or a package that doesn't exist)
+    // In this case, we return null to indicate that we couldn't resolve the version
+    return null;
+  }
+
+  const distTags = packageInfo["dist-tags"];
+  if (distTags && distTags[versionRange]) {
+    // If the version range is a dist-tag, return the version associated with that tag
+    // e.g., "latest", "next", etc.
+    return distTags[versionRange];
+  }
+
+  // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
+  // This is useful for ranges like "^1.0.0" or "~2.3.4".
+  const availableVersions = Object.keys(packageInfo.versions);
+  const resolvedVersion = semver.maxSatisfying(availableVersions, versionRange);
+  if (resolvedVersion) {
+    return resolvedVersion;
+  }
+
+  // Nothing matched the range, return null
+  return null;
+}
+
+async function getPackageInfo(packageName) {
+  try {
+    return await npmFetch.json(packageName);
+  } catch {
+    return null;
+  }
+}

package/src/config/configFile.js

@@ -0,0 +1,91 @@
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { ui } from "../environment/userInteraction.js";
+
+export function getScanTimeout() {
+  const config = readConfigFile();
+  return (
+    parseInt(process.env.AIKIDO_SCAN_TIMEOUT_MS) || config.scanTimeout || 10000 // Default to 10 seconds
+  );
+}
+
+export function writeDatabaseToLocalCache(data, version) {
+  try {
+    const databasePath = getDatabasePath();
+    const versionPath = getDatabaseVersionPath();
+
+    fs.writeFileSync(databasePath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write malware database to local cache, next time the database will be fetched from the server again."
+    );
+  }
+}
+
+export function readDatabaseFromLocalCache() {
+  try {
+    const databasePath = getDatabasePath();
+    if (!fs.existsSync(databasePath)) {
+      return {
+        malwareDatabase: null,
+        version: null,
+      };
+    }
+    const data = fs.readFileSync(databasePath, "utf8");
+    const malwareDatabase = JSON.parse(data);
+    const versionPath = getDatabaseVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return {
+      malwareDatabase: malwareDatabase,
+      version: version,
+    };
+  } catch {
+    ui.writeWarning(
+      "Failed to read malware database from local cache. Continuing without local cache."
+    );
+    return {
+      malwareDatabase: null,
+      version: null,
+    };
+  }
+}
+
+function readConfigFile() {
+  const configFilePath = getConfigFilePath();
+
+  if (!fs.existsSync(configFilePath)) {
+    return {};
+  }
+
+  const data = fs.readFileSync(configFilePath, "utf8");
+  return JSON.parse(data);
+}
+
+function getDatabasePath() {
+  const aikidoDir = getAikidoDirectory();
+  return path.join(aikidoDir, "malwareDatabase.json");
+}
+
+function getDatabaseVersionPath() {
+  const aikidoDir = getAikidoDirectory();
+  return path.join(aikidoDir, "version.txt");
+}
+
+function getConfigFilePath() {
+  return path.join(getAikidoDirectory(), "config.json");
+}
+
+function getAikidoDirectory() {
+  const homeDir = os.homedir();
+  const aikidoDir = path.join(homeDir, ".aikido");
+
+  if (!fs.existsSync(aikidoDir)) {
+    fs.mkdirSync(aikidoDir, { recursive: true });
+  }
+  return aikidoDir;
+}

package/src/environment/environment.js

@@ -0,0 +1,14 @@
+export function isCi() {
+  const ciEnvironments = [
+    "CI",
+    "TF_BUILD", // Azure devops does not set CI, but TF_BUILD
+  ];
+
+  for (const env of ciEnvironments) {
+    if (process.env[env]) {
+      return true;
+    }
+  }
+
+  return false;
+}

package/src/environment/userInteraction.js

@@ -0,0 +1,79 @@
+import chalk from "chalk";
+import ora from "ora";
+import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { isCi } from "./environment.js";
+
+function emptyLine() {
+  writeInformation("");
+}
+
+function writeInformation(message, ...optionalParams) {
+  console.log(message, ...optionalParams);
+}
+
+function writeWarning(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.yellow(message);
+  }
+  console.warn(message, ...optionalParams);
+}
+
+function writeError(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  console.error(message, ...optionalParams);
+}
+
+function startProcess(message) {
+  if (isCi()) {
+    return {
+      succeed: (message) => {
+        writeInformation(message);
+      },
+      fail: (message) => {
+        writeError(message);
+      },
+      stop: () => {},
+      setText: (message) => {
+        writeInformation(message);
+      },
+    };
+  } else {
+    const spinner = ora(message).start();
+    return {
+      succeed: (message) => {
+        spinner.succeed(message);
+      },
+      fail: (message) => {
+        spinner.fail(message);
+      },
+      stop: () => {
+        spinner.stop();
+      },
+      setText: (message) => {
+        spinner.text = message;
+      },
+    };
+  }
+}
+
+async function confirm(config) {
+  if (isCi()) {
+    return Promise.resolve(config.default);
+  } else {
+    return inquirerConfirm({
+      message: config.message,
+      default: config.default,
+    });
+  }
+}
+
+export const ui = {
+  writeInformation,
+  writeWarning,
+  writeError,
+  emptyLine,
+  startProcess,
+  confirm,
+};

package/src/main.js

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+
+import { scanCommand, shouldScanCommand } from "./scanning/index.js";
+import { isAddAliasCommand, addAlias } from "./shell-integration/addAlias.js";
+import {
+  removeAlias,
+  isRemoveAliasCommand,
+} from "./shell-integration/removeAlias.js";
+import { ui } from "./environment/userInteraction.js";
+import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+
+export async function main(args) {
+  try {
+    if (isAddAliasCommand(args)) {
+      addAlias(args);
+      return;
+    }
+    if (isRemoveAliasCommand(args)) {
+      removeAlias(args);
+      return;
+    }
+    if (shouldScanCommand(args)) {
+      await scanCommand(args);
+    }
+  } catch (error) {
+    ui.writeError("Failed to check for malicious packages:", error.message);
+  }
+
+  var result = getPackageManager().runCommand(args);
+  process.exit(result.status);
+}

package/src/packagemanager/currentPackageManager.js

@@ -0,0 +1,28 @@
+import { createNpmPackageManager } from "./npm/createPackageManager.js";
+import { createNpxPackageManager } from "./npx/createPackageManager.js";
+import { createYarnPackageManager } from "./yarn/createPackageManager.js";
+
+const state = {
+  packageManagerName: null,
+};
+
+export function initializePackageManager(packageManagerName, version) {
+  if (packageManagerName === "npm") {
+    state.packageManagerName = createNpmPackageManager(version);
+  } else if (packageManagerName === "npx") {
+    state.packageManagerName = createNpxPackageManager();
+  } else if (packageManagerName === "yarn") {
+    state.packageManagerName = createYarnPackageManager();
+  } else {
+    throw new Error("Unsupported package manager: " + packageManagerName);
+  }
+
+  return state.packageManagerName;
+}
+
+export function getPackageManager() {
+  if (!state.packageManagerName) {
+    throw new Error("Package manager not initialized.");
+  }
+  return state.packageManagerName;
+}

package/src/packagemanager/npm/createPackageManager.js

@@ -0,0 +1,83 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { dryRunScanner } from "./dependencyScanner/dryRunScanner.js";
+import { nullScanner } from "./dependencyScanner/nullScanner.js";
+import { runNpm } from "./runNpmCommand.js";
+import {
+  getNpmCommandForArgs,
+  npmInstallCommand,
+  npmCiCommand,
+  npmInstallTestCommand,
+  npmInstallCiTestCommand,
+  npmUpdateCommand,
+  npmAuditCommand,
+  npmExecCommand,
+} from "./utils/npmCommands.js";
+
+export function createNpmPackageManager(version) {
+  const supportedScanners =
+    getMajorVersion(version) >= 22
+      ? npm22AndAboveSupportedScanners
+      : npm21AndBelowSupportedScanners;
+
+  function isSupportedCommand(args) {
+    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    return scanner.shouldScan(args);
+  }
+
+  function getDependencyUpdatesForCommand(args) {
+    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    return scanner.scan(args);
+  }
+
+  return {
+    getWarningMessage: () => warnForLimitedSupport(version),
+    runCommand: runNpm,
+    isSupportedCommand,
+    getDependencyUpdatesForCommand,
+  };
+}
+
+const npm22AndAboveSupportedScanners = {
+  [npmInstallCommand]: dryRunScanner(),
+  [npmUpdateCommand]: dryRunScanner(),
+  [npmCiCommand]: dryRunScanner(),
+  [npmAuditCommand]: dryRunScanner({
+    skipScanWhen: (args) => !args.includes("fix"),
+  }),
+  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
+
+  // Running dry-run on install-test and install-ci-test will install & run tests.
+  // We only want to know if there are changes in the dependencies.
+  // So we run change the dry-run command to only check the install.
+  [npmInstallTestCommand]: dryRunScanner({ dryRunCommand: npmInstallCommand }),
+  [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
+};
+
+const npm21AndBelowSupportedScanners = {
+  [npmInstallCommand]: commandArgumentScanner(),
+  [npmUpdateCommand]: commandArgumentScanner(),
+  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
+};
+
+function warnForLimitedSupport(version) {
+  if (getMajorVersion(version) >= 22) {
+    return null;
+  }
+
+  return `Aikido-npm will only scan the arguments of the install command for Node.js version prior to version 22.
+Please update your Node.js version to 22 or higher for full coverage. Current version: v${version}`;
+}
+
+function getMajorVersion(version) {
+  return parseInt(version.split(".")[0]);
+}
+
+function findDependencyScannerForCommand(scanners, args) {
+  const command = getNpmCommandForArgs(args);
+  if (!command) {
+    return nullScanner();
+  }
+
+  const scanner = scanners[command];
+  return scanner ? scanner : nullScanner();
+}