@aikidosec/safe-chain 1.0.0 → 1.0.10

package/src/packagemanager/npm/utils/cmd-list.js

@@ -0,0 +1,171 @@
+// Based on https://github.com/npm/cli/blob/latest/lib/utils/cmd-list.js
+
+import abbrev from "abbrev";
+
+const commands = [
+  "access",
+  "adduser",
+  "audit",
+  "bugs",
+  "cache",
+  "ci",
+  "completion",
+  "config",
+  "dedupe",
+  "deprecate",
+  "diff",
+  "dist-tag",
+  "docs",
+  "doctor",
+  "edit",
+  "exec",
+  "explain",
+  "explore",
+  "find-dupes",
+  "fund",
+  "get",
+  "help",
+  "help-search",
+  "init",
+  "install",
+  "install-ci-test",
+  "install-test",
+  "link",
+  "ll",
+  "login",
+  "logout",
+  "ls",
+  "org",
+  "outdated",
+  "owner",
+  "pack",
+  "ping",
+  "pkg",
+  "prefix",
+  "profile",
+  "prune",
+  "publish",
+  "query",
+  "rebuild",
+  "repo",
+  "restart",
+  "root",
+  "run",
+  "sbom",
+  "search",
+  "set",
+  "shrinkwrap",
+  "star",
+  "stars",
+  "start",
+  "stop",
+  "team",
+  "test",
+  "token",
+  "undeprecate",
+  "uninstall",
+  "unpublish",
+  "unstar",
+  "update",
+  "version",
+  "view",
+  "whoami",
+];
+
+// These must resolve to an entry in commands
+const aliases = {
+  // aliases
+  author: "owner",
+  home: "docs",
+  issues: "bugs",
+  info: "view",
+  show: "view",
+  find: "search",
+  add: "install",
+  unlink: "uninstall",
+  remove: "uninstall",
+  rm: "uninstall",
+  r: "uninstall",
+
+  // short names for common things
+  un: "uninstall",
+  rb: "rebuild",
+  list: "ls",
+  ln: "link",
+  create: "init",
+  i: "install",
+  it: "install-test",
+  cit: "install-ci-test",
+  up: "update",
+  c: "config",
+  s: "search",
+  se: "search",
+  tst: "test",
+  t: "test",
+  ddp: "dedupe",
+  v: "view",
+  "run-script": "run",
+  "clean-install": "ci",
+  "clean-install-test": "install-ci-test",
+  x: "exec",
+  why: "explain",
+  la: "ll",
+  verison: "version",
+  ic: "ci",
+
+  // typos
+  innit: "init",
+  // manually abbrev so that install-test doesn't make insta stop working
+  in: "install",
+  ins: "install",
+  inst: "install",
+  insta: "install",
+  instal: "install",
+  isnt: "install",
+  isnta: "install",
+  isntal: "install",
+  isntall: "install",
+  "install-clean": "ci",
+  "isntall-clean": "ci",
+  hlep: "help",
+  "dist-tags": "dist-tag",
+  upgrade: "update",
+  udpate: "update",
+  rum: "run",
+  sit: "install-ci-test",
+  urn: "run",
+  ogr: "org",
+  "add-user": "adduser",
+};
+
+export function deref(c) {
+  if (!c) {
+    return;
+  }
+
+  // Translate camelCase to snake-case (i.e. installTest to install-test)
+  if (c.match(/[A-Z]/)) {
+    c = c.replace(/([A-Z])/g, (m) => "-" + m.toLowerCase());
+  }
+
+  // if they asked for something exactly we are done
+  if (commands.includes(c)) {
+    return c;
+  }
+
+  // if they asked for a direct alias
+  if (aliases[c]) {
+    return aliases[c];
+  }
+
+  const abbrevs = abbrev(commands.concat(Object.keys(aliases)));
+
+  // first deref the abbrev, if there is one
+  // then resolve any aliases
+  // so `npm install-cl` will resolve to `install-clean` then to `ci`
+  let a = abbrevs[c];
+  while (aliases[a]) {
+    a = aliases[a];
+  }
+  return a;
+}

package/src/packagemanager/npm/utils/npmCommands.js

@@ -0,0 +1,26 @@
+import { deref } from "./cmd-list.js";
+
+export function getNpmCommandForArgs(args) {
+  if (args.length === 0) {
+    return null;
+  }
+
+  const argCommand = deref(args[0]);
+  if (!argCommand) {
+    return null;
+  }
+
+  return argCommand;
+}
+
+export function hasDryRunArg(args) {
+  return args.some((arg) => arg === "--dry-run");
+}
+
+export const npmInstallCommand = "install";
+export const npmCiCommand = "ci";
+export const npmInstallTestCommand = "install-test";
+export const npmInstallCiTestCommand = "install-ci-test";
+export const npmUpdateCommand = "update";
+export const npmAuditCommand = "audit";
+export const npmExecCommand = "exec";

package/src/packagemanager/npx/createPackageManager.js

@@ -0,0 +1,13 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { runNpx } from "./runNpxCommand.js";
+
+export function createNpxPackageManager() {
+  const scanner = commandArgumentScanner();
+
+  return {
+    getWarningMessage: () => null,
+    runCommand: runNpx,
+    isSupportedCommand: (args) => scanner.shouldScan(args),
+    getDependencyUpdatesForCommand: (args) => scanner.scan(args),
+  };
+}

package/src/packagemanager/npx/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,31 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromArguments } from "../parsing/parsePackagesFromArguments.js";
+
+export function commandArgumentScanner() {
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: () => true, // all npx commands need to be scanned, npx doesn't have dry-run
+  };
+}
+function scanDependencies(args) {
+  return checkChangesFromArgs(args);
+}
+
+export async function checkChangesFromArgs(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromArguments(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+
+  return changes;
+}

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js

@@ -0,0 +1,106 @@
+export function parsePackagesFromArguments(args) {
+  let defaultTag = "latest";
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    const option = getOption(arg);
+
+    if (option) {
+      // If the option has a parameter, skip the next argument as well
+      i += option.numberOfParameters;
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg, defaultTag);
+    if (packageDetails) {
+      return [packageDetails];
+    }
+  }
+
+  return [];
+}
+
+function getOption(arg) {
+  if (isOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered options
+  // except for "--package=" which contains the package name
+  if (arg.startsWith("-") && !arg.startsWith("--package=")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+function isOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--access",
+    "--auth-type",
+    "--cache",
+    "--fetch-retries",
+    "--fetch-retry-mintimeout",
+    "--fetch-retry-maxtimeout",
+    "--fetch-retry-factor",
+    "--fetch-timeout",
+    "--https-proxy",
+    "--include",
+    "--location",
+    "--lockfile-version",
+    "--loglevel",
+    "--omit",
+    "--proxy",
+    "--registry",
+    "--replace-registry-host",
+    "--tag",
+    "--user-config",
+    "--workspace",
+  ];
+
+  return optionsWithParameters.includes(arg);
+}
+
+function parsePackagename(arg, defaultTag) {
+  // format can be --package=name@version
+  // in that case, we need to remove the --package= part
+  if (arg.startsWith("--package=")) {
+    arg = arg.slice(10);
+  }
+
+  arg = removeAlias(arg);
+
+  // Split at the last "@" to separate the package name and version
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  if (lastAtIndex !== -1) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = defaultTag; // No tag specified (eg: "http-server"), use the default tag
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+function removeAlias(arg) {
+  // removes the alias.
+  // Eg.: server@npm:http-server@latest becomes http-server@latest
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.spec.js

@@ -0,0 +1,147 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { parsePackagesFromArguments } from "./parsePackagesFromArguments.js";
+
+describe("parsePackagesFromArguments", () => {
+  it("should return an empty array for no changes", () => {
+    const args = [];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, []);
+  });
+
+  it("should return an array of changes for one package", () => {
+    const args = ["http-server@14.1.1"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
+  });
+
+  it("should return the package with latest tag if absent", () => {
+    const args = ["http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should ignore double --", () => {
+    const args = ["--", "http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should only return the first package", () => {
+    const args = ["http-server", "jest"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should return package with -p option", () => {
+    const args = ["-p", "http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should return package with --package option", () => {
+    const args = ["--package", "http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should return package with --package=x option", () => {
+    const args = ["--package=http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
+  });
+
+  it("should return package with --package=x@version option", () => {
+    const args = ["--package=http-server@1.0.0"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "1.0.0" }]);
+  });
+
+  it("should ignore options with parameters and return an array of changes", () => {
+    const args = ["--loglevel", "error", "http-server@14.1.1"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
+  });
+
+  it("should parse version even for aliased packages", () => {
+    const args = ["server@npm:http-server@14.1.1"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
+  });
+
+  it("should parse scoped packages", () => {
+    const args = ["@scope/package@1.0.0"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@scope/package", version: "1.0.0" }]);
+  });
+
+  it("should parse packages with version ranges", () => {
+    const args = ["http-server@^14.1.1"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "http-server", version: "^14.1.1" }]);
+  });
+
+  it("should parse package folders", () => {
+    const args = ["./local-package"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "./local-package", version: "latest" }]);
+  });
+
+  it("should parse tarballs", () => {
+    const args = ["file:./local-package.tgz"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [
+      { name: "file:./local-package.tgz", version: "latest" },
+    ]);
+  });
+
+  it("should parse tarball URLs", () => {
+    const args = ["https://example.com/local-package.tgz"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [
+      { name: "https://example.com/local-package.tgz", version: "latest" },
+    ]);
+  });
+
+  it("should parse git URLs", () => {
+    const args = ["git://github.com/http-party/http-server"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [
+      { name: "git://github.com/http-party/http-server", version: "latest" },
+    ]);
+  });
+});

package/src/packagemanager/npx/runNpxCommand.js

@@ -0,0 +1,17 @@
+import { execSync } from "child_process";
+import { ui } from "../../environment/userInteraction.js";
+
+export function runNpx(args) {
+  try {
+    const npxCommand = `npx ${args.join(" ")}`;
+    execSync(npxCommand, { stdio: "inherit" });
+  } catch (error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+  return { status: 0 };
+}

package/src/packagemanager/yarn/createPackageManager.js

@@ -0,0 +1,34 @@
+import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
+import { runYarnCommand } from "./runYarnCommand.js";
+
+const scanner = commandArgumentScanner();
+
+export function createYarnPackageManager() {
+  return {
+    getWarningMessage: () => null,
+    runCommand: runYarnCommand,
+    isSupportedCommand: (args) =>
+      matchesCommand(args, "add") ||
+      matchesCommand(args, "global", "add") ||
+      matchesCommand(args, "install") ||
+      matchesCommand(args, "up") ||
+      matchesCommand(args, "upgrade") ||
+      matchesCommand(args, "global", "upgrade") ||
+      matchesCommand(args, "dlx"),
+    getDependencyUpdatesForCommand: (args) => scanner.scan(args),
+  };
+}
+
+function matchesCommand(args, ...commandArgs) {
+  if (args.length < commandArgs.length) {
+    return false;
+  }
+
+  for (var i = 0; i < commandArgs.length; i++) {
+    if (args[i].toLowerCase() !== commandArgs[i].toLowerCase()) {
+      return false;
+    }
+  }
+
+  return true;
+}

package/src/packagemanager/yarn/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,28 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromArguments } from "../parsing/parsePackagesFromArguments.js";
+
+export function commandArgumentScanner() {
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: () => true, // There's no dry run for yarn, so we always scan
+  };
+}
+
+async function scanDependencies(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromArguments(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+
+  return changes;
+}

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js

@@ -0,0 +1,102 @@
+export function parsePackagesFromArguments(args) {
+  const changes = [];
+  let defaultTag = "latest";
+
+  for (let i = 1; i < args.length; i++) {
+    const arg = args[i];
+    const option = getOption(arg);
+
+    if (option) {
+      // If the option has a parameter, skip the next argument as well
+      i += option.numberOfParameters;
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg, defaultTag);
+    if (packageDetails) {
+      changes.push(packageDetails);
+    }
+  }
+
+  return changes;
+}
+
+function getOption(arg) {
+  if (isOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered options
+  // except for "--package=" which contains the package name
+  if (arg.startsWith("-")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+function isOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--use-yarnrc",
+    "--link-folder",
+    "--global-folder",
+    "--modules-folder",
+    "--preferred-cache-folder",
+    "--cache-folder",
+    "--mutex",
+    "--cwd",
+    "--proxy",
+    "--https-proxy",
+    "--registry",
+    "--network-concurrency",
+    "--network-timeout",
+    "--scripts-prepend-node-path",
+    "--otp",
+  ];
+
+  return optionsWithParameters.includes(arg);
+}
+
+function parsePackagename(arg, defaultTag) {
+  // format can be --package=name@version
+  // in that case, we need to remove the --package= part
+  if (arg.startsWith("--package=")) {
+    arg = arg.slice(10);
+  }
+
+  arg = removeAlias(arg);
+
+  // Split at the last "@" to separate the package name and version
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  if (lastAtIndex !== -1) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = defaultTag; // No tag specified (eg: "http-server"), use the default tag
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+function removeAlias(arg) {
+  // removes the alias.
+  // Eg.: server@npm:http-server@latest becomes http-server@latest
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}