@aikidosec/safe-chain 1.0.0 → 1.0.11

package/.editorconfig

@@ -0,0 +1,8 @@
+
+[*]
+charset = utf-8
+insert_final_newline = true
+end_of_line = lf
+indent_style = space
+indent_size = 2
+max_line_length = 80

package/.github/workflows/build-and-release.yml

@@ -0,0 +1,41 @@
+name: Create Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org/"
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+
+      - name: Set version number
+        id: get_version
+        run: |
+          version="${{ github.ref_name }}"
+          echo "tag=$version" >> $GITHUB_OUTPUT
+
+      - name: Set the version
+        run: npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish to npm
+        run: |
+          echo "Publishing version ${{ steps.get_version.outputs.tag }} to NPM"
+          npm publish --access public
+        env:
+          NPM_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

package/.github/workflows/test-on-pr.yml

@@ -0,0 +1,28 @@
+name: Run Unit Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+      - name: Run ESLint
+        run: npm run lint

package/README.md

@@ -0,0 +1,57 @@
+# Aikido Safe Chain
+
+The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), and [yarn](https://yarnpkg.com/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, or yarn from downloading or running the malware.
+
+![demo](./safe-package-manager-demo.gif)
+
+## Installation
+
+Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
+
+1. **Install the Aikido Safe Chain package globally** using npm:
+   ```shell
+   npm install -g @aikidosec/safe-chain
+   ```
+2. **Setup the shell integration** by running:
+   ```shell
+   safe-chain setup-shell
+   ```
+3. **Restart your terminal** to start using the Aikido Safe Chain.
+
+When running `npm`, `npx`, or `yarn` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
+
+## Aliases in shell
+
+The Aikido Safe Chain will setup aliases in your shell for the commands **npm**, **npx**, and **yarn**. This means that when you run these commands, they will be replaced with the Aikido Safe Chain commands **aikido-npm**, **aikido-npx**, and **aikido-yarn** respectively. The Aikido Safe Chain will do a pre-install check for malware before running the original command.
+
+### Creating shell aliases
+
+The `setup-shell` command will detect which shells are installed and add the aliases for **npm**, **npx**, and **yarn** to your shell startup scripts.
+
+Supported shells include:
+
+- ✅ **Bash**: `~/.bashrc`
+- ✅ **Zsh**: `~/.zshrc`
+- ✅ **Fish**: `~/.config/fish/config.fish`
+- ✅ **Powershell**: `$PROFILE`
+- ✅ **PowerShell Core**: `$PROFILE`
+
+After adding the alias, **the shell needs to restart in order to load the alias**.
+
+### Removing shell aliases
+
+The `remove-shell` command will remove the aliases for **npm**, **npx**, and **yarn** from your shell startup scripts. This is useful if you want to stop using the Aikido Safe Chain or if you want to switch to a different package manager.
+
+## Uninstallation
+
+To uninstall the Aikido Safe Chain, you can run the following command:
+
+1. **Remove all aliases from your shell** by running:
+   ```shell
+   safe-chain remove-shell
+   ```
+2. **Uninstall the Aikido Safe Chain package** using npm:
+   ```shell
+   npm uninstall -g @aikidosec/safe-chain
+   ```
+3. **Restart your terminal** to remove the aliases.

package/bin/aikido-npm.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "npm";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/bin/aikido-npx.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "npx";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/bin/aikido-yarn.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+
+const packageManagerName = "yarn";
+initializePackageManager(packageManagerName, process.versions.node);
+await main(process.argv.slice(2));

package/bin/safe-chain.js

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+
+import chalk from "chalk";
+import { ui } from "../src/environment/userInteraction.js";
+import { setupShell } from "../src/shell-integration/setupShell.js";
+import { removeShell } from "../src/shell-integration/removeShell.js";
+
+if (process.argv.length < 3) {
+  ui.writeError("No command provided. Please provide a command to execute.");
+  ui.emptyLine();
+  writeHelp();
+  process.exit(1);
+}
+
+const command = process.argv[2];
+
+if (command === "help" || command === "--help" || command === "-h") {
+  writeHelp();
+  process.exit(0);
+}
+
+if (command === "setup-shell") {
+  setupShell();
+} else if (command === "remove-shell") {
+  removeShell();
+} else {
+  ui.writeError(`Unknown command: ${command}.`);
+  ui.emptyLine();
+
+  writeHelp();
+
+  process.exit(1);
+}
+
+function writeHelp() {
+  ui.writeInformation(
+    chalk.bold("Usage: ") + chalk.cyan("safe-chain <command>")
+  );
+  ui.emptyLine();
+  ui.writeInformation(
+    `Available commands: ${chalk.cyan("setup-shell")}, ${chalk.cyan(
+      "remove-shell"
+    )}, ${chalk.cyan("help")}`
+  );
+  ui.emptyLine();
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain setup-shell"
+    )}: This will setup your shell to wrap safe-chain around npm, npx and yarn.`
+  );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain remove-shell"
+    )}: This will remove safe-chain aliases from your shell configuration.`
+  );
+  ui.emptyLine();
+}

package/eslint.config.js

@@ -0,0 +1,25 @@
+import js from "@eslint/js";
+import { defineConfig } from "@eslint/config-helpers";
+import globals from "globals";
+import importPlugin from "eslint-plugin-import";
+
+export default defineConfig([
+  {
+    files: ["**/*.{js,mjs,cjs,ts}"],
+    plugins: { js },
+    extends: ["js/recommended"],
+  },
+  {
+    files: ["**/*.{js,mjs,cjs,ts}"],
+    languageOptions: { globals: globals.node },
+  },
+  importPlugin.flatConfigs.recommended,
+  {
+    files: ["**/*.{js,mjs,cjs}"],
+    languageOptions: {
+      ecmaVersion: "latest",
+      sourceType: "module",
+    },
+    rules: {},
+  },
+]);

package/package.json

@@ -1,18 +1,41 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.0",
-  "scripts": {},
+  "version": "1.0.11",
+  "scripts": {
+    "test": "node --test --experimental-test-module-mocks **/*.spec.js",
+    "test:watch": "node --test --watch --experimental-test-module-mocks **/*.spec.js",
+    "lint": "eslint ."
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/AikidoSec/safe-npm.git"
   },
-  "bin": {},
+  "bin": {
+    "aikido-npm": "bin/aikido-npm.js",
+    "aikido-npx": "bin/aikido-npx.js",
+    "aikido-yarn": "bin/aikido-yarn.js",
+    "safe-chain": "bin/safe-chain.js"
+  },
   "type": "module",
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
-  "description": "The Aikido Safe Package Manager wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
-  "dependencies": {},
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
+  "dependencies": {
+    "@inquirer/prompts": "^7.4.1",
+    "abbrev": "^3.0.1",
+    "chalk": "^5.4.1",
+    "npm-registry-fetch": "^18.0.2",
+    "ora": "^8.2.0",
+    "semver": "^7.7.2"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.26.0",
+    "eslint": "^9.26.0",
+    "eslint-plugin-import": "^2.31.0",
+    "globals": "^16.1.0",
+    "typescript-eslint": "^8.32.0"
+  },
   "main": "eslint.config.js",
   "bugs": {
     "url": "https://github.com/AikidoSec/safe-npm/issues"

package/src/api/aikido.js

@@ -0,0 +1,31 @@
+const malwareDatabaseUrl =
+  "https://malware-list.aikido.dev/malware_predictions.json";
+
+export async function fetchMalwareDatabase() {
+  const response = await fetch(malwareDatabaseUrl);
+  if (!response.ok) {
+    throw new Error(`Error fetching malware database: ${response.statusText}`);
+  }
+
+  try {
+    let malwareDatabase = await response.json();
+    return {
+      malwareDatabase: malwareDatabase,
+      version: response.headers.get("etag") || undefined,
+    };
+  } catch (error) {
+    throw new Error(`Error parsing malware database: ${error.message}`);
+  }
+}
+
+export async function fetchMalwareDatabaseVersion() {
+  const response = await fetch(malwareDatabaseUrl, {
+    method: "HEAD",
+  });
+  if (!response.ok) {
+    throw new Error(
+      `Error fetching malware database version: ${response.statusText}`
+    );
+  }
+  return response.headers.get("etag") || undefined;
+}

package/src/api/npmApi.js

@@ -0,0 +1,46 @@
+import * as semver from "semver";
+import * as npmFetch from "npm-registry-fetch";
+
+export async function resolvePackageVersion(packageName, versionRange) {
+  if (!versionRange) {
+    versionRange = "latest";
+  }
+
+  if (semver.valid(versionRange)) {
+    // The version is a fixed version, no need to resolve
+    return versionRange;
+  }
+
+  const packageInfo = await getPackageInfo(packageName);
+  if (!packageInfo) {
+    // It is possible that no version is found (could be a private package, or a package that doesn't exist)
+    // In this case, we return null to indicate that we couldn't resolve the version
+    return null;
+  }
+
+  const distTags = packageInfo["dist-tags"];
+  if (distTags && distTags[versionRange]) {
+    // If the version range is a dist-tag, return the version associated with that tag
+    // e.g., "latest", "next", etc.
+    return distTags[versionRange];
+  }
+
+  // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
+  // This is useful for ranges like "^1.0.0" or "~2.3.4".
+  const availableVersions = Object.keys(packageInfo.versions);
+  const resolvedVersion = semver.maxSatisfying(availableVersions, versionRange);
+  if (resolvedVersion) {
+    return resolvedVersion;
+  }
+
+  // Nothing matched the range, return null
+  return null;
+}
+
+async function getPackageInfo(packageName) {
+  try {
+    return await npmFetch.json(packageName);
+  } catch {
+    return null;
+  }
+}

package/src/config/configFile.js

@@ -0,0 +1,91 @@
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { ui } from "../environment/userInteraction.js";
+
+export function getScanTimeout() {
+  const config = readConfigFile();
+  return (
+    parseInt(process.env.AIKIDO_SCAN_TIMEOUT_MS) || config.scanTimeout || 10000 // Default to 10 seconds
+  );
+}
+
+export function writeDatabaseToLocalCache(data, version) {
+  try {
+    const databasePath = getDatabasePath();
+    const versionPath = getDatabaseVersionPath();
+
+    fs.writeFileSync(databasePath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write malware database to local cache, next time the database will be fetched from the server again."
+    );
+  }
+}
+
+export function readDatabaseFromLocalCache() {
+  try {
+    const databasePath = getDatabasePath();
+    if (!fs.existsSync(databasePath)) {
+      return {
+        malwareDatabase: null,
+        version: null,
+      };
+    }
+    const data = fs.readFileSync(databasePath, "utf8");
+    const malwareDatabase = JSON.parse(data);
+    const versionPath = getDatabaseVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return {
+      malwareDatabase: malwareDatabase,
+      version: version,
+    };
+  } catch {
+    ui.writeWarning(
+      "Failed to read malware database from local cache. Continuing without local cache."
+    );
+    return {
+      malwareDatabase: null,
+      version: null,
+    };
+  }
+}
+
+function readConfigFile() {
+  const configFilePath = getConfigFilePath();
+
+  if (!fs.existsSync(configFilePath)) {
+    return {};
+  }
+
+  const data = fs.readFileSync(configFilePath, "utf8");
+  return JSON.parse(data);
+}
+
+function getDatabasePath() {
+  const aikidoDir = getAikidoDirectory();
+  return path.join(aikidoDir, "malwareDatabase.json");
+}
+
+function getDatabaseVersionPath() {
+  const aikidoDir = getAikidoDirectory();
+  return path.join(aikidoDir, "version.txt");
+}
+
+function getConfigFilePath() {
+  return path.join(getAikidoDirectory(), "config.json");
+}
+
+function getAikidoDirectory() {
+  const homeDir = os.homedir();
+  const aikidoDir = path.join(homeDir, ".aikido");
+
+  if (!fs.existsSync(aikidoDir)) {
+    fs.mkdirSync(aikidoDir, { recursive: true });
+  }
+  return aikidoDir;
+}

package/src/environment/environment.js

@@ -0,0 +1,14 @@
+export function isCi() {
+  const ciEnvironments = [
+    "CI",
+    "TF_BUILD", // Azure devops does not set CI, but TF_BUILD
+  ];
+
+  for (const env of ciEnvironments) {
+    if (process.env[env]) {
+      return true;
+    }
+  }
+
+  return false;
+}

package/src/environment/userInteraction.js

@@ -0,0 +1,79 @@
+import chalk from "chalk";
+import ora from "ora";
+import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { isCi } from "./environment.js";
+
+function emptyLine() {
+  writeInformation("");
+}
+
+function writeInformation(message, ...optionalParams) {
+  console.log(message, ...optionalParams);
+}
+
+function writeWarning(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.yellow(message);
+  }
+  console.warn(message, ...optionalParams);
+}
+
+function writeError(message, ...optionalParams) {
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  console.error(message, ...optionalParams);
+}
+
+function startProcess(message) {
+  if (isCi()) {
+    return {
+      succeed: (message) => {
+        writeInformation(message);
+      },
+      fail: (message) => {
+        writeError(message);
+      },
+      stop: () => {},
+      setText: (message) => {
+        writeInformation(message);
+      },
+    };
+  } else {
+    const spinner = ora(message).start();
+    return {
+      succeed: (message) => {
+        spinner.succeed(message);
+      },
+      fail: (message) => {
+        spinner.fail(message);
+      },
+      stop: () => {
+        spinner.stop();
+      },
+      setText: (message) => {
+        spinner.text = message;
+      },
+    };
+  }
+}
+
+async function confirm(config) {
+  if (isCi()) {
+    return Promise.resolve(config.default);
+  } else {
+    return inquirerConfirm({
+      message: config.message,
+      default: config.default,
+    });
+  }
+}
+
+export const ui = {
+  writeInformation,
+  writeWarning,
+  writeError,
+  emptyLine,
+  startProcess,
+  confirm,
+};

package/src/main.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+
+import { scanCommand, shouldScanCommand } from "./scanning/index.js";
+import { ui } from "./environment/userInteraction.js";
+import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+
+export async function main(args) {
+  try {
+    if (shouldScanCommand(args)) {
+      await scanCommand(args);
+    }
+  } catch (error) {
+    ui.writeError("Failed to check for malicious packages:", error.message);
+  }
+
+  var result = getPackageManager().runCommand(args);
+  process.exit(result.status);
+}

package/src/packagemanager/currentPackageManager.js

@@ -0,0 +1,28 @@
+import { createNpmPackageManager } from "./npm/createPackageManager.js";
+import { createNpxPackageManager } from "./npx/createPackageManager.js";
+import { createYarnPackageManager } from "./yarn/createPackageManager.js";
+
+const state = {
+  packageManagerName: null,
+};
+
+export function initializePackageManager(packageManagerName, version) {
+  if (packageManagerName === "npm") {
+    state.packageManagerName = createNpmPackageManager(version);
+  } else if (packageManagerName === "npx") {
+    state.packageManagerName = createNpxPackageManager();
+  } else if (packageManagerName === "yarn") {
+    state.packageManagerName = createYarnPackageManager();
+  } else {
+    throw new Error("Unsupported package manager: " + packageManagerName);
+  }
+
+  return state.packageManagerName;
+}
+
+export function getPackageManager() {
+  if (!state.packageManagerName) {
+    throw new Error("Package manager not initialized.");
+  }
+  return state.packageManagerName;
+}