npm - @aikidosec/safe-chain - Versions diffs - 1.0.0 → 1.0.10 - Mend

@aikidosec/safe-chain 1.0.0 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/.editorconfig +8 -0
package/.github/workflows/build-and-release.yml +41 -0
package/.github/workflows/test-on-pr.yml +28 -0
package/README.md +55 -0
package/bin/aikido-npm.js +8 -0
package/bin/aikido-npx.js +8 -0
package/bin/aikido-yarn.js +8 -0
package/eslint.config.js +25 -0
package/package.json +27 -5
package/safe-package-manager-demo.gif +0 -0
package/src/api/aikido.js +31 -0
package/src/api/npmApi.js +46 -0
package/src/config/configFile.js +91 -0
package/src/environment/environment.js +14 -0
package/src/environment/userInteraction.js +79 -0
package/src/main.js +31 -0
package/src/packagemanager/currentPackageManager.js +28 -0
package/src/packagemanager/npm/createPackageManager.js +83 -0
package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js +37 -0
package/src/packagemanager/npm/dependencyScanner/dryRunScanner.js +50 -0
package/src/packagemanager/npm/dependencyScanner/nullScanner.js +6 -0
package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.js +57 -0
package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.spec.js +134 -0
package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js +109 -0
package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.spec.js +176 -0
package/src/packagemanager/npm/runNpmCommand.js +33 -0
package/src/packagemanager/npm/utils/cmd-list.js +171 -0
package/src/packagemanager/npm/utils/npmCommands.js +26 -0
package/src/packagemanager/npx/createPackageManager.js +13 -0
package/src/packagemanager/npx/dependencyScanner/commandArgumentScanner.js +31 -0
package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js +106 -0
package/src/packagemanager/npx/parsing/parsePackagesFromArguments.spec.js +147 -0
package/src/packagemanager/npx/runNpxCommand.js +17 -0
package/src/packagemanager/yarn/createPackageManager.js +34 -0
package/src/packagemanager/yarn/dependencyScanner/commandArgumentScanner.js +28 -0
package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js +102 -0
package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.spec.js +126 -0
package/src/packagemanager/yarn/runYarnCommand.js +17 -0
package/src/scanning/audit/index.js +56 -0
package/src/scanning/index.js +94 -0
package/src/scanning/index.scanCommand.spec.js +180 -0
package/src/scanning/index.shouldScanCommand.spec.js +47 -0
package/src/scanning/malwareDatabase.js +62 -0
package/src/shell-integration/addAlias.js +63 -0
package/src/shell-integration/helpers.js +44 -0
package/src/shell-integration/removeAlias.js +61 -0
package/src/shell-integration/shellIntegration.spec.js +172 -0

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.spec.js ADDED Viewed

@@ -0,0 +1,126 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { parsePackagesFromArguments } from "./parsePackagesFromArguments.js";
+describe("standardYarnArgumentParser", () => {
+  it("should return an empty array for no changes", () => {
+    const args = ["add"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, []);
+  });
+  it("should return an array of changes for one package", () => {
+    const args = ["add", "axios@1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "1.9.0" }]);
+  });
+  it("should return the package with latest tag if absent", () => {
+    const args = ["add", "axios"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "latest" }]);
+  });
+  it("should only return all packages", () => {
+    const args = ["add", "axios", "jest"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [
+      { name: "axios", version: "latest" },
+      { name: "jest", version: "latest" },
+    ]);
+  });
+  it("should ignore options with parameters and return an array of changes", () => {
+    const args = ["add", "--proxy", "http://localhost", "axios@1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "1.9.0" }]);
+  });
+  it("should parse version even for aliased packages", () => {
+    const args = ["add", "server@npm:axios@1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "1.9.0" }]);
+  });
+  it("should parse scoped packages", () => {
+    const args = ["add", "@scope/package@1.0.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "@scope/package", version: "1.0.0" }]);
+  });
+  it("should parse packages with version ranges", () => {
+    const args = ["add", "axios@^1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "^1.9.0" }]);
+  });
+  it("should parse package folders", () => {
+    const args = ["add", "./local-package"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "./local-package", version: "latest" }]);
+  });
+  it("should parse tarballs", () => {
+    const args = ["add", "file:./local-package.tgz"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [
+      { name: "file:./local-package.tgz", version: "latest" },
+    ]);
+  });
+  it("should parse tarball URLs", () => {
+    const args = ["add", "https://example.com/local-package.tgz"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [
+      { name: "https://example.com/local-package.tgz", version: "latest" },
+    ]);
+  });
+  it("should parse git URLs", () => {
+    const args = ["add", "git://github.com/http-party/http-server"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [
+      { name: "git://github.com/http-party/http-server", version: "latest" },
+    ]);
+  });
+  it("should parse packages with -p {packageName}", () => {
+    const args = ["dlx", "-p", "axios@1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "1.9.0" }]);
+  });
+  it("should parse packages with --package {packageName}", () => {
+    const args = ["dlx", "--package", "axios@1.9.0"];
+    const result = parsePackagesFromArguments(args);
+    assert.deepEqual(result, [{ name: "axios", version: "1.9.0" }]);
+  });
+});

package/src/packagemanager/yarn/runYarnCommand.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { execSync } from "child_process";
+import { ui } from "../../environment/userInteraction.js";
+export function runYarnCommand(args) {
+  try {
+    const npxCommand = `yarn ${args.join(" ")}`;
+    execSync(npxCommand, { stdio: "inherit" });
+  } catch (error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+  return { status: 0 };
+}

package/src/scanning/audit/index.js ADDED Viewed

@@ -0,0 +1,56 @@
+import {
+  MALWARE_STATUS_MALWARE,
+  openMalwareDatabase,
+} from "../malwareDatabase.js";
+export async function auditChanges(changes) {
+  const allowedChanges = [];
+  const disallowedChanges = [];
+  var malwarePackages = await getPackagesWithMalware(
+    changes.filter(
+      (change) => change.type === "add" || change.type === "change"
+    )
+  );
+  for (const change of changes) {
+    const malwarePackage = malwarePackages.find(
+      (pkg) => pkg.name === change.name && pkg.version === change.version
+    );
+    if (malwarePackage) {
+      disallowedChanges.push({ ...change, reason: malwarePackage.status });
+    } else {
+      allowedChanges.push(change);
+    }
+  }
+  const auditResults = {
+    allowedChanges,
+    disallowedChanges,
+    isAllowed: disallowedChanges.length === 0,
+  };
+  return auditResults;
+}
+async function getPackagesWithMalware(changes) {
+  if (changes.length === 0) {
+    return [];
+  }
+  const malwareDb = await openMalwareDatabase();
+  let allVulnerablePackages = [];
+  for (const change of changes) {
+    if (malwareDb.isMalware(change.name, change.version)) {
+      allVulnerablePackages.push({
+        name: change.name,
+        version: change.version,
+        status: MALWARE_STATUS_MALWARE,
+      });
+    }
+  }
+  return allVulnerablePackages;
+}

package/src/scanning/index.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { auditChanges } from "./audit/index.js";
+import { getScanTimeout } from "../config/configFile.js";
+import { setTimeout } from "timers/promises";
+import chalk from "chalk";
+import { getPackageManager } from "../packagemanager/currentPackageManager.js";
+import { ui } from "../environment/userInteraction.js";
+export function shouldScanCommand(args) {
+  if (!args || args.length === 0) {
+    return false;
+  }
+  return getPackageManager().isSupportedCommand(args);
+}
+export async function scanCommand(args) {
+  if (!shouldScanCommand(args)) {
+    return [];
+  }
+  let timedOut = false;
+  const spinner = ui.startProcess("Scanning for malicious packages...");
+  let audit;
+  await Promise.race([
+    (async () => {
+      try {
+        const packageManager = getPackageManager();
+        const changes = await packageManager.getDependencyUpdatesForCommand(
+          args
+        );
+        if (timedOut) {
+          return;
+        }
+        if (changes.length > 0) {
+          spinner.setText(`Scanning ${changes.length} package(s)...`);
+        }
+        audit = await auditChanges(changes);
+      } catch (error) {
+        spinner.fail(`Error while scanning: ${error.message}`);
+        throw error;
+      }
+    })(),
+    setTimeout(getScanTimeout()).then(() => {
+      timedOut = true;
+    }),
+  ]);
+  if (timedOut) {
+    spinner.fail("Timeout exceeded while scanning.");
+    throw new Error("Timeout exceeded while scanning npm install command.");
+  }
+  if (!audit || audit.isAllowed) {
+    spinner.succeed("No malicious packages detected.");
+  } else {
+    printMaliciousChanges(audit.disallowedChanges, spinner);
+    await acceptRiskOrExit(
+      "Do you want to continue with the installation despite the risks?",
+      false
+    );
+  }
+}
+function printMaliciousChanges(changes, spinner) {
+  spinner.fail(chalk.bold("Malicious changes detected:"));
+  for (const change of changes) {
+    ui.writeInformation(` - ${change.name}@${change.version}`);
+  }
+}
+async function acceptRiskOrExit(message, defaultValue) {
+  ui.emptyLine();
+  const continueInstall = await ui.confirm({
+    message: message,
+    default: defaultValue,
+  });
+  if (continueInstall) {
+    ui.writeInformation("Continuing with the installation...");
+    return;
+  }
+  ui.writeInformation(
+    "Exiting without installing packages. Please check the output."
+  );
+  ui.emptyLine();
+  process.exit(1);
+}

package/src/scanning/index.scanCommand.spec.js ADDED Viewed

@@ -0,0 +1,180 @@
+import assert from "node:assert/strict";
+import { describe, it, mock } from "node:test";
+import { setTimeout } from "node:timers/promises";
+describe("scanCommand", async () => {
+  const getScanTimeoutMock = mock.fn(() => 1000);
+  const mockGetDependencyUpdatesForCommand = mock.fn();
+  const mockStartProcess = mock.fn(() => ({
+    setText: () => {},
+    succeed: () => {},
+    fail: () => {},
+  }));
+  const mockConfirm = mock.fn(() => true);
+  // import { getPackageManager } from "../packagemanager/currentPackageManager.js";
+  mock.module("../packagemanager/currentPackageManager.js", {
+    namedExports: {
+      getPackageManager: () => {
+        return {
+          isSupportedCommand: () => true,
+          getDependencyUpdatesForCommand: mockGetDependencyUpdatesForCommand,
+        };
+      },
+    },
+  });
+  // import { getScanTimeout } from "../config/configFile.js";
+  mock.module("../config/configFile.js", {
+    namedExports: {
+      getScanTimeout: getScanTimeoutMock,
+      getBaseUrl: () => undefined,
+    },
+  });
+  // import { ui } from "../environment/userInteraction.js";
+  mock.module("../environment/userInteraction.js", {
+    namedExports: {
+      ui: {
+        startProcess: mockStartProcess,
+        writeError: () => {},
+        writeInformation: () => {},
+        writeWarning: () => {},
+        emptyLine: () => {},
+        confirm: mockConfirm,
+      },
+    },
+  });
+  // import { auditChanges, MAX_LENGTH_EXCEEDED } from "./audit/index.js";
+  mock.module("./audit/index.js", {
+    namedExports: {
+      auditChanges: (changes) => {
+        const malisciousChangeName = "malicious";
+        const allowedChanges = changes.filter(
+          (change) => change.name !== malisciousChangeName
+        );
+        const disallowedChanges = changes
+          .filter((change) => change.name === malisciousChangeName)
+          .map((change) => ({
+            ...change,
+            reason: "malicious",
+          }));
+        const auditResults = {
+          allowedChanges,
+          disallowedChanges,
+          isAllowed: disallowedChanges.length === 0,
+        };
+        return auditResults;
+      },
+      MAX_LENGTH_EXCEEDED: "MAX_LENGTH_EXCEEDED",
+    },
+  });
+  const { scanCommand } = await import("./index.js");
+  it("should succeed when there are no changes", async () => {
+    let successMessageWasSet = false;
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {
+        successMessageWasSet = true;
+      },
+      fail: () => {},
+    }));
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(() => []);
+    await scanCommand(["install", "lodash"]);
+    assert.equal(successMessageWasSet, true);
+  });
+  it("should succeed when changes are not malicious", async () => {
+    let successMessageWasSet = false;
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {
+        successMessageWasSet = true;
+      },
+      fail: () => {},
+    }));
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(() => [
+      { name: "lodash", version: "4.17.21" },
+    ]);
+    await scanCommand(["install", "lodash"]);
+    assert.equal(successMessageWasSet, true);
+  });
+  it("should throw an error when timing out", async () => {
+    let failureMessageWasSet = false;
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {},
+      fail: () => {
+        failureMessageWasSet = true;
+      },
+    }));
+    getScanTimeoutMock.mock.mockImplementationOnce(() => 100);
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(async () => {
+      await setTimeout(150);
+      return [{ name: "lodash", version: "4.17.21" }];
+    });
+    await assert.rejects(scanCommand(["install", "lodash"]));
+    assert.equal(failureMessageWasSet, true);
+  });
+  it("should fail and prompt the user when malicious changes are detected", async () => {
+    let failureMessageWasSet = false;
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {},
+      fail: () => {
+        failureMessageWasSet = true;
+      },
+    }));
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(() => [
+      { name: "malicious", version: "1.0.0" },
+    ]);
+    let userWasPrompted = false;
+    mockConfirm.mock.mockImplementationOnce(() => {
+      userWasPrompted = true;
+      return true; // Simulate user accepting the risk, otherwise the process would exit
+    });
+    await scanCommand(["install", "malicious"]);
+    assert.equal(failureMessageWasSet, true);
+    assert.equal(userWasPrompted, true);
+  });
+  it("should not report a timeout when the user takes a long time to respond (it should not affect the timeout)", async () => {
+    let failureMessages = [];
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {},
+      fail: (message) => {
+        failureMessages.push(message);
+      },
+    }));
+    getScanTimeoutMock.mock.mockImplementationOnce(() => 100);
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(async () => {
+      return [{ name: "malicious", version: "4.17.21" }];
+    });
+    mockConfirm.mock.mockImplementationOnce(async () => {
+      await setTimeout(200);
+      return true; // Simulate user accepting the risk, otherwise the process would exit
+    });
+    await scanCommand(["install", "malicious"]);
+    assert.equal(failureMessages.length, 1);
+    const failureMessage = failureMessages[0];
+    assert.equal(failureMessage.toLowerCase().includes("timeout"), false);
+    assert.equal(failureMessage.toLowerCase().includes("malicious"), true);
+  });
+});

package/src/scanning/index.shouldScanCommand.spec.js ADDED Viewed

@@ -0,0 +1,47 @@
+import assert from "node:assert/strict";
+import { describe, it, mock } from "node:test";
+describe("shouldScanCommand", async () => {
+  const isSupportedCommandMock = mock.fn(() => undefined);
+  mock.module("../packagemanager/currentPackageManager.js", {
+    namedExports: {
+      getPackageManager: () => {
+        return {
+          isSupportedCommand: isSupportedCommandMock,
+          getDependencyUpdatesForCommand: () => [],
+        };
+      },
+    },
+  });
+  const { shouldScanCommand } = await import("./index.js");
+  it("should return false if the argument is an empty array", () => {
+    const result = shouldScanCommand([]);
+    assert.strictEqual(result, false);
+  });
+  it("should return false if the argument is undefined", () => {
+    const result = shouldScanCommand(undefined);
+    assert.strictEqual(result, false);
+  });
+  it("should return true if the package manager supports the command", () => {
+    isSupportedCommandMock.mock.mockImplementation(() => true);
+    const result = shouldScanCommand(["install", "lodash"]);
+    assert.strictEqual(result, true);
+  });
+  it("should return false if the package manager does not support the command", () => {
+    isSupportedCommandMock.mock.mockImplementation(() => false);
+    const result = shouldScanCommand(["unknown", "command"]);
+    assert.strictEqual(result, false);
+  });
+});

package/src/scanning/malwareDatabase.js ADDED Viewed

@@ -0,0 +1,62 @@
+import {
+  fetchMalwareDatabase,
+  fetchMalwareDatabaseVersion,
+} from "../api/aikido.js";
+import {
+  readDatabaseFromLocalCache,
+  writeDatabaseToLocalCache,
+} from "../config/configFile.js";
+export async function openMalwareDatabase() {
+  const malwareDatabase = await getMalwareDatabase();
+  function getPackageStatus(name, version) {
+    const packageData = malwareDatabase.find(
+      (pkg) =>
+        pkg.package_name === name &&
+        (pkg.version === version || pkg.version === "*")
+    );
+    if (!packageData) {
+      return MALWARE_STATUS_OK;
+    }
+    return packageData.reason;
+  }
+  return {
+    getPackageStatus,
+    isMalware: (name, version) => {
+      const status = getPackageStatus(name, version);
+      return isMalwareStatus(status);
+    },
+  };
+}
+async function getMalwareDatabase() {
+  const { malwareDatabase: cachedDatabase, version: cachedVersion } =
+    readDatabaseFromLocalCache();
+  if (cachedDatabase) {
+    const currentVersion = await fetchMalwareDatabaseVersion();
+    if (cachedVersion === currentVersion) {
+      return cachedDatabase;
+    }
+  }
+  const { malwareDatabase, version } = await fetchMalwareDatabase();
+  writeDatabaseToLocalCache(malwareDatabase, version);
+  return malwareDatabase;
+}
+function isMalwareStatus(status) {
+  let malwareStatus = status.toUpperCase();
+  return malwareStatus === MALWARE_STATUS_MALWARE;
+}
+export const MALWARE_STATUS_OK = "OK";
+export const MALWARE_STATUS_MALWARE = "MALWARE";
+export const MALWARE_STATUS_TELEMETRY = "TELEMETRY";
+export const MALWARE_STATUS_PROTESTWARE = "PROTESTWARE";

package/src/shell-integration/addAlias.js ADDED Viewed

@@ -0,0 +1,63 @@
+import fs from "fs";
+import path from "path";
+import { EOL } from "os";
+import { getAliases } from "./helpers.js";
+import { ui } from "../environment/userInteraction.js";
+export function isAddAliasCommand(args) {
+  if (args[0] === "add-aikido-aliases") {
+    return true;
+  }
+  if (args[0] === "add-aikido-npm-alias") {
+    // not in the documenation anymore, but still here for backwards compatibility
+    return true;
+  }
+  return false;
+}
+export function addAlias(args) {
+  if (!isAddAliasCommand(args)) {
+    return;
+  }
+  if (args.length < 2) {
+    ui.writeError("Please specify the file to add the alias to.");
+    return;
+  }
+  const filePath = path.resolve(args[1]);
+  const aliases = getAliases(filePath);
+  if (!fs.existsSync(filePath)) {
+    fs.writeFileSync(filePath, "", "utf-8");
+    ui.writeInformation(`File ${filePath} created.`);
+  }
+  const fileContent = fs.readFileSync(filePath, "utf-8");
+  let missingAliases = [];
+  for (const alias of aliases) {
+    if (fileContent.includes(alias)) {
+      ui.writeInformation(`Alias "${alias}" already exists in ${filePath}`);
+    } else {
+      missingAliases.push(alias);
+    }
+  }
+  if (missingAliases.length === 0) {
+    ui.writeInformation(`The aliases are already present in ${filePath}`);
+    return;
+  }
+  const aliasLines = missingAliases.join(EOL);
+  ui.writeInformation(`Adding alias "${aliasLines}" to ${filePath}...`);
+  // Append the alias to the file
+  fs.appendFileSync(filePath, `${EOL}${aliasLines}${EOL}`, "utf-8");
+  ui.writeInformation(`Alias added to ${filePath}`);
+  ui.writeInformation(
+    `Please restart your terminal for the changes to take effect.`
+  );
+}

package/src/shell-integration/helpers.js ADDED Viewed

@@ -0,0 +1,44 @@
+const knownAikidoTools = [
+  { tool: "npm", aikidoCommand: "aikido-npm" },
+  { tool: "npx", aikidoCommand: "aikido-npx" },
+  { tool: "yarn", aikidoCommand: "aikido-yarn" },
+  // When adding a new tool here, also update the expected alias in the tests (shellIntegration.spec.js)
+  // and add the documentation for the new tool in the README.md
+];
+export function getAliases(fileName) {
+  const fileExtension = fileName.split(".").pop().toLowerCase();
+  let createAlias = pickCreateAliasFunction(fileExtension);
+  const aliases = knownAikidoTools.map(({ tool, aikidoCommand }) =>
+    createAlias(tool, aikidoCommand)
+  );
+  return aliases;
+}
+function pickCreateAliasFunction(fileExtension) {
+  let createAlias;
+  switch (fileExtension) {
+    case "ps1":
+      createAlias = createGeneralPowershellAlias;
+      break;
+    case "fish":
+      createAlias = createGeneralFishAlias;
+      break;
+    default:
+      createAlias = createGeneralPosixAlias;
+  }
+  return createAlias;
+}
+function createGeneralPosixAlias(tool, aikidoCommand) {
+  return `alias ${tool}='${aikidoCommand}'`;
+}
+function createGeneralPowershellAlias(tool, aikidoCommand) {
+  return `Set-Alias ${tool} ${aikidoCommand}`;
+}
+function createGeneralFishAlias(tool, aikidoCommand) {
+  return `alias ${tool} "${aikidoCommand}"`;
+}