@aikidosec/safe-chain 1.0.16 → 1.0.18

package/eslint.config.js

@@ -1,5 +1,5 @@
 import js from "@eslint/js";
-import { defineConfig } from "@eslint/config-helpers";
+import { defineConfig, globalIgnores } from "@eslint/config-helpers";
 import globals from "globals";
 import importPlugin from "eslint-plugin-import";
 
@@ -22,4 +22,5 @@ export default defineConfig([
     },
     rules: {},
   },
+  globalIgnores(['test/e2e']),
 ]);

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "scripts": {
-    "test": "node --test --experimental-test-module-mocks **/*.spec.js",
-    "test:watch": "node --test --watch --experimental-test-module-mocks **/*.spec.js",
+    "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
+    "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
     "lint": "eslint ."
   },
   "repository": {
@@ -42,5 +42,8 @@
   "bugs": {
     "url": "https://github.com/AikidoSec/safe-chain/issues"
   },
-  "homepage": "https://github.com/AikidoSec/safe-chain#readme"
+  "homepage": "https://github.com/AikidoSec/safe-chain#readme",
+  "overrides": {
+    "brace-expansion@<=2.0.2": "2.0.2"
+  }
 }

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js

@@ -86,7 +86,9 @@ function parsePackagename(arg) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.spec.js

@@ -19,6 +19,14 @@ describe("parsePackagesFromInstallArgs", () => {
     assert.deepEqual(result, [{ name: "@jest/transform", version: "29.7.0" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["install", "@vercel/otel"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return an array of changes for multiple packages", () => {
     const args = ["install", "express@4.17.1", "lodash@4.17.21"];
 

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js

@@ -81,7 +81,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.spec.js

@@ -19,6 +19,14 @@ describe("parsePackagesFromArguments", () => {
     assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return the package with latest tag if absent", () => {
     const args = ["http-server"];
 

package/src/packagemanager/pnpm/parsing/parsePackagesFromArguments.spec.js

@@ -27,6 +27,14 @@ describe("standardPnpmArgumentParser", () => {
     assert.deepEqual(result, [{ name: "axios", version: "latest" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return the package with latest tag if the version is absent and package starts with @", () => {
     const args = ["@aikidosec/package-name"];
 

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js

@@ -77,7 +77,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.spec.js

@@ -38,6 +38,14 @@ describe("standardYarnArgumentParser", () => {
     ]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["add", "@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should ignore options with parameters and return an array of changes", () => {
     const args = ["add", "--proxy", "http://localhost", "axios@1.9.0"];
 

package/src/shell-integration/helpers.js

@@ -28,11 +28,35 @@ export function removeLinesMatchingPattern(filePath, pattern) {
   }
 
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const lines = fileContent.split(os.EOL);
-  const updatedLines = lines.filter((line) => !pattern.test(line));
+  const lines = fileContent.split(/[\r\n\u2028\u2029]+/);
+  const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
   fs.writeFileSync(filePath, updatedLines.join(os.EOL), "utf-8");
 }
 
+const maxLineLength = 100;
+function shouldRemoveLine(line, pattern) {
+  const isPatternMatch = pattern.test(line);
+
+  if (!isPatternMatch) {
+    return false;
+  }
+
+  if (line.length > maxLineLength) {
+    // safe-chain only adds lines shorter than maxLineLength
+    // so if the line is longer, it must be from a different 
+    // source and could be dangerous to remove
+    return false;
+  }
+
+  if (line.includes("\n") || line.includes("\r") || line.includes("\u2028") || line.includes("\u2029")) {
+    // If the line contains newlines, something has gone wrong in splitting
+    // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
+    return false;
+  }
+
+  return true;
+}
+
 export function addLineToFile(filePath, line) {
   if (!fs.existsSync(filePath)) {
     fs.writeFileSync(filePath, "", "utf-8");

package/src/shell-integration/helpers.spec.js

@@ -0,0 +1,113 @@
+import { describe, it, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+import { tmpdir } from "node:os";
+import fs from "node:fs";
+import path from "path";
+
+describe("removeLinesMatchingPatternTests", () => {
+  let testFile;
+
+  beforeEach(() => {
+    // Create temporary test file
+    testFile = path.join(tmpdir(), `test-helpers-${Date.now()}.txt`);
+
+    // Mock the os module to override EOL
+    mock.module("node:os", {
+      namedExports: {
+        EOL: "\r\n", // Simulate Windows line endings
+        tmpdir: tmpdir,
+        platform: () => "linux"
+      }
+    });
+  });
+
+  afterEach(() => {
+    // Clean up test files
+    if (fs.existsSync(testFile)) {
+      fs.unlinkSync(testFile);
+    }
+
+    // Reset mocks
+    mock.reset();
+  });
+
+
+  it("should handle mixed line endings without wiping entire file", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Create a file with Unix line endings but os.EOL expects Windows
+    const fileContent = [
+      "# keep this line",
+      "alias npm='remove-this'", 
+      "# keep this line too",
+      "alias yarn='remove-this-too'",
+      "# final line to keep"
+    ].join("\n"); // File has Unix line endings
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias.*=/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This test will fail because the function splits on '\r\n' but file uses '\n'
+    // So it treats the entire content as one line and if any part matches, removes everything
+    assert.ok(result.includes("keep this line"), "Should preserve non-matching lines");
+    assert.ok(result.includes("final line to keep"), "Should preserve final line");
+  });
+
+  it("should handle mixed line endings with short matching content", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Create a file with Unix line endings, but make the entire content short 
+    // to bypass the maxLineLength protection
+    const fileContent = [
+      "# keep1",
+      "alias x=y", // Short alias line that should be removed
+      "# keep2"
+    ].join("\n"); // File has Unix line endings, total length < 100 chars
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This should now be protected by the newline detection
+    assert.ok(result.includes("keep1"), "Should preserve first line");
+    assert.ok(result.includes("keep2"), "Should preserve third line");
+  });
+
+  it("should handle Unicode line separators that bypass newline detection", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Use Unicode line separator (U+2028) and paragraph separator (U+2029)
+    // These are considered line breaks but aren't \n or \r
+    const fileContent = [
+      "keep this",
+      "alias test=value",
+      "keep that"
+    ].join("\u2028"); // Unicode line separator
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This could still wipe everything if split() treats it as one line
+    // but the content doesn't contain \n or \r so passes the newline check
+    assert.ok(result.includes("keep this"), "Should preserve first part");
+    assert.ok(result.includes("keep that"), "Should preserve last part");
+  });
+
+});

package/src/shell-integration/setup.js

@@ -2,6 +2,10 @@ import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
 import { knownAikidoTools } from "./helpers.js";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fileURLToPath } from "url";
 
 /**
  * Loops over the detected shells and calls the setup function for each.
@@ -13,6 +17,8 @@ export async function setup() {
   );
   ui.emptyLine();
 
+  copyStartupFiles();
+
   try {
     const shells = detectShells();
     if (shells.length === 0) {
@@ -73,3 +79,22 @@ function setupShell(shell) {
 
   return success;
 }
+
+function copyStartupFiles() {
+  const startupFiles = ["init-posix.sh", "init-pwsh.ps1", "init-fish.fish"];
+
+  for (const file of startupFiles) {
+    const targetDir = path.join(os.homedir(), ".safe-chain", "scripts");
+    const targetPath = path.join(os.homedir(), ".safe-chain", "scripts", file);
+
+    if (!fs.existsSync(targetDir)) {
+      fs.mkdirSync(targetDir, { recursive: true });
+    }
+
+    // Use absolute path for source
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = path.dirname(__filename);
+    const sourcePath = path.resolve(__dirname, "startup-scripts", file);
+    fs.copyFileSync(sourcePath, targetPath);
+  }
+}

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -0,0 +1,58 @@
+function printSafeChainWarning
+    set original_cmd $argv[1]
+    
+    # Fish equivalent of ANSI color codes: yellow background, black text for "Warning:"
+    set_color -b yellow black
+    printf "Warning:"
+    set_color normal
+    printf " safe-chain is not available to protect you from installing malware. %s will run without it.\n" $original_cmd
+    
+    # Cyan text for the install command
+    printf "Install safe-chain by using "
+    set_color cyan
+    printf "npm install -g @aikidosec/safe-chain"
+    set_color normal
+    printf ".\n"
+end
+
+function wrapSafeChainCommand
+    set original_cmd $argv[1]
+    set aikido_cmd $argv[2]
+    set cmd_args $argv[3..-1]
+    
+    if type -q $aikido_cmd
+        # If the aikido command is available, just run it with the provided arguments
+        $aikido_cmd $cmd_args
+    else
+        # If the aikido command is not available, print a warning and run the original command
+        printSafeChainWarning $original_cmd
+        command $original_cmd $cmd_args
+    end
+end
+
+function npx
+    wrapSafeChainCommand "npx" "aikido-npx" $argv
+end
+
+function yarn
+    wrapSafeChainCommand "yarn" "aikido-yarn" $argv
+end
+
+function pnpm
+    wrapSafeChainCommand "pnpm" "aikido-pnpm" $argv
+end
+
+function pnpx
+    wrapSafeChainCommand "pnpx" "aikido-pnpx" $argv
+end
+
+function npm
+    if test (count $argv) -eq 1 -a \( "$argv[1]" = "-v" -o "$argv[1]" = "--version" \)
+        # If args is just -v or --version and nothing else, just run the npm version command
+        # This is because nvm uses this to check the version of npm
+        command npm $argv
+        return
+    end
+
+    wrapSafeChainCommand "npm" "aikido-npm" $argv
+end

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -0,0 +1,54 @@
+
+function printSafeChainWarning() {
+  # \033[43;30m is used to set the background color to yellow and text color to black
+  # \033[0m is used to reset the text formatting
+  printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. %s will run without it.\n" "$1"
+  # \033[36m is used to set the text color to cyan
+  printf "Install safe-chain by using \033[36mnpm install -g @aikidosec/safe-chain\033[0m.\n"
+}
+
+function wrapSafeChainCommand() {
+  local original_cmd="$1"
+  local aikido_cmd="$2"
+
+  # Remove the first 2 arguments (original_cmd and aikido_cmd) from $@
+  # so that "$@" now contains only the arguments passed to the original command
+  shift 2
+
+  if command -v "$aikido_cmd" > /dev/null 2>&1; then
+    # If the aikido command is available, just run it with the provided arguments
+    "$aikido_cmd" "$@"
+  else
+    # If the aikido command is not available, print a warning and run the original command
+    printSafeChainWarning "$original_cmd"
+
+    command "$original_cmd" "$@"
+  fi
+}
+
+function npx() {
+  wrapSafeChainCommand "npx" "aikido-npx" "$@"
+}
+
+function yarn() {
+  wrapSafeChainCommand "yarn" "aikido-yarn" "$@"
+}
+
+function pnpm() {
+  wrapSafeChainCommand "pnpm" "aikido-pnpm" "$@"
+}
+
+function pnpx() {
+  wrapSafeChainCommand "pnpx" "aikido-pnpx" "$@"
+}
+
+function npm() {
+  if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
+    # If args is just -v or --version and nothing else, just run the npm version command
+    # This is because nvm uses this to check the version of npm
+    command npm "$@"
+    return
+  fi
+
+  wrapSafeChainCommand "npm" "aikido-npm" "$@"
+}

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -0,0 +1,80 @@
+function Write-SafeChainWarning {
+    param([string]$Command)
+    
+    # PowerShell equivalent of ANSI color codes: yellow background, black text for "Warning:"
+    Write-Host "Warning:" -BackgroundColor Yellow -ForegroundColor Black -NoNewline
+    Write-Host " safe-chain is not available to protect you from installing malware. $Command will run without it."
+    
+    # Cyan text for the install command
+    Write-Host "Install safe-chain by using " -NoNewline
+    Write-Host "npm install -g @aikidosec/safe-chain" -ForegroundColor Cyan -NoNewline
+    Write-Host "."
+}
+
+function Test-CommandAvailable {
+    param([string]$Command)
+    
+    try {
+        Get-Command $Command -ErrorAction Stop | Out-Null
+        return $true
+    }
+    catch {
+        return $false
+    }
+}
+
+function Invoke-RealCommand {
+    param(
+        [string]$Command,
+        [string[]]$Arguments
+    )
+    
+    # Find the real executable to avoid calling our wrapped functions
+    $realCommand = Get-Command -Name $Command -CommandType Application | Select-Object -First 1
+    if ($realCommand) {
+        & $realCommand.Source @Arguments
+    }
+}
+
+function Invoke-WrappedCommand {
+    param(
+        [string]$OriginalCmd,
+        [string]$AikidoCmd,
+        [string[]]$Arguments
+    )
+
+    if (Test-CommandAvailable $AikidoCmd) {
+        & $AikidoCmd @Arguments
+    }
+    else {
+        Write-SafeChainWarning $OriginalCmd
+        Invoke-RealCommand $OriginalCmd $Arguments
+    }
+}
+
+function npx {
+    Invoke-WrappedCommand "npx" "aikido-npx" $args
+}
+
+function yarn {
+    Invoke-WrappedCommand "yarn" "aikido-yarn" $args
+}
+
+function pnpm {
+    Invoke-WrappedCommand "pnpm" "aikido-pnpm" $args
+}
+
+function pnpx {
+    Invoke-WrappedCommand "pnpx" "aikido-pnpx" $args
+}
+
+function npm {
+    # If args is just -v or --version and nothing else, just run the npm version command
+    # This is because nvm uses this to check the version of npm
+    if (($args.Length -eq 1) -and (($args[0] -eq "-v") -or ($args[0] -eq "--version"))) {
+        Invoke-RealCommand "npm" $args
+        return
+    }
+    
+    Invoke-WrappedCommand "npm" "aikido-npm" $args
+}

package/src/shell-integration/supported-shells/bash.js

@@ -21,18 +21,22 @@ function teardown(tools) {
     removeLinesMatchingPattern(startupFile, new RegExp(`^alias\\s+${tool}=`));
   }
 
+  // Removes the line that sources the safe-chain bash initialization script (~/.aikido/scripts/init-posix.sh)
+  removeLinesMatchingPattern(
+    startupFile,
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/
+  );
+
   return true;
 }
 
-function setup(tools) {
+function setup() {
   const startupFile = getStartupFile();
 
-  for (const { tool, aikidoCommand } of tools) {
-    addLineToFile(
-      startupFile,
-      `alias ${tool}="${aikidoCommand}" # Safe-chain alias for ${tool}`
-    );
-  }
+  addLineToFile(
+    startupFile,
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`
+  );
 
   return true;
 }

package/src/shell-integration/supported-shells/bash.spec.js

@@ -66,38 +66,17 @@ describe("Bash shell integration", () => {
   });
 
   describe("setup", () => {
-    it("should add aliases for all provided tools", () => {
-      const tools = [
-        { tool: "npm", aikidoCommand: "aikido-npm" },
-        { tool: "npx", aikidoCommand: "aikido-npx" },
-        { tool: "yarn", aikidoCommand: "aikido-yarn" },
-      ];
-
-      const result = bash.setup(tools);
+    it("should add source line for bash initialization script", () => {
+      const result = bash.setup();
       assert.strictEqual(result, true);
 
       const content = fs.readFileSync(mockStartupFile, "utf-8");
       assert.ok(
-        content.includes('alias npm="aikido-npm" # Safe-chain alias for npm')
-      );
-      assert.ok(
-        content.includes('alias npx="aikido-npx" # Safe-chain alias for npx')
-      );
-      assert.ok(
-        content.includes('alias yarn="aikido-yarn" # Safe-chain alias for yarn')
+        content.includes(
+          "source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script"
+        )
       );
     });
-
-    it("should handle empty tools array", () => {
-      const result = bash.setup([]);
-      assert.strictEqual(result, true);
-
-      // File should be created during teardown call even if no tools are provided
-      if (fs.existsSync(mockStartupFile)) {
-        const content = fs.readFileSync(mockStartupFile, "utf-8");
-        assert.strictEqual(content.trim(), "");
-      }
-    });
   });
 
   describe("teardown", () => {
@@ -174,14 +153,14 @@ describe("Bash shell integration", () => {
       // Setup
       bash.setup(tools);
       let content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(content.includes('alias npm="aikido-npm"'));
-      assert.ok(content.includes('alias yarn="aikido-yarn"'));
+      assert.ok(content.includes("source ~/.safe-chain/scripts/init-posix.sh"));
 
       // Teardown
       bash.teardown(tools);
       content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(!content.includes("alias npm="));
-      assert.ok(!content.includes("alias yarn="));
+      assert.ok(
+        !content.includes("source ~/.safe-chain/scripts/init-posix.sh")
+      );
     });
 
     it("should handle multiple setup calls", () => {
@@ -192,8 +171,29 @@ describe("Bash shell integration", () => {
       bash.setup(tools);
 
       const content = fs.readFileSync(mockStartupFile, "utf-8");
-      const npmMatches = (content.match(/alias npm="/g) || []).length;
-      assert.strictEqual(npmMatches, 1, "Should not duplicate aliases");
+      const sourceMatches = (content.match(/source.*init-posix\.sh/g) || [])
+        .length;
+      assert.strictEqual(sourceMatches, 1, "Should not duplicate source lines");
+    });
+
+    it("should handle mixed content with aliases and source lines", () => {
+      const initialContent = [
+        "#!/bin/bash",
+        "alias npm='old-npm'",
+        "source ~/.safe-chain/scripts/init-posix.sh",
+        "alias ls='ls --color=auto'",
+      ].join("\n");
+
+      fs.writeFileSync(mockStartupFile, initialContent, "utf-8");
+
+      // Teardown should remove both aliases and source line
+      bash.teardown(knownAikidoTools);
+      const content = fs.readFileSync(mockStartupFile, "utf-8");
+      assert.ok(!content.includes("alias npm="));
+      assert.ok(
+        !content.includes("source ~/.safe-chain/scripts/init-posix.sh")
+      );
+      assert.ok(content.includes("alias ls="));
     });
   });
 });