@aikidosec/safe-chain 1.1.5 → 1.1.7

package/README.md

@@ -41,6 +41,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
 When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, or `bunx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
 
 You can check the installed version by running:
+
 ```shell
 safe-chain --version
 ```
@@ -75,17 +76,16 @@ To uninstall the Aikido Safe Chain, you can run the following command:
 
 # Configuration
 
-## Malware Action
+## Logging
 
-You can control how Aikido Safe Chain responds when malware is detected using the `--safe-chain-malware-action` flag:
+You can control the output from Aikido Safe Chain using the `--safe-chain-logging` flag:
 
-- `--safe-chain-malware-action=block` (**default**) - Automatically blocks installation and exits with an error when malware is detected
-- `--safe-chain-malware-action=prompt` - Prompts the user to decide whether to continue despite the malware detection
+- `--safe-chain-logging=silent` - Suppresses all Aikido Safe Chain output except when malware is blocked. The package manager output is written to stdout as normal, and Safe Chain only writes a short message if it has blocked malware and causes the process to exit.
 
 Example usage:
 
 ```shell
-npm install suspicious-package --safe-chain-malware-action=prompt
+npm install express --safe-chain-logging=silent
 ```
 
 # Usage in CI/CD

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/api/npmApi.js

@@ -25,6 +25,10 @@ export async function resolvePackageVersion(packageName, versionRange) {
     return distTags[versionRange];
   }
 
+  if (!packageInfo.versions) {
+    return null;
+  }
+
   // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
   // This is useful for ranges like "^1.0.0" or "~2.3.4".
   const availableVersions = Object.keys(packageInfo.versions);

package/src/config/cliArguments.js

@@ -1,12 +1,12 @@
 const state = {
-  malwareAction: undefined,
+  loggingLevel: undefined,
 };
 
 const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
 
 export function initializeCliArguments(args) {
   // Reset state on each call
-  state.malwareAction = undefined;
+  state.loggingLevel = undefined;
 
   const safeChainArgs = [];
   const remainingArgs = [];
@@ -19,21 +19,11 @@ export function initializeCliArguments(args) {
     }
   }
 
-  setMalwareAction(safeChainArgs);
+  setLoggingLevel(safeChainArgs);
 
   return remainingArgs;
 }
 
-function setMalwareAction(args) {
-  const safeChainMalwareActionArg = SAFE_CHAIN_ARG_PREFIX + "malware-action=";
-
-  const action = getLastArgEqualsValue(args, safeChainMalwareActionArg);
-  if (!action) {
-    return;
-  }
-  state.malwareAction = action.toLowerCase();
-}
-
 function getLastArgEqualsValue(args, prefix) {
   for (var i = args.length - 1; i >= 0; i--) {
     const arg = args[i];
@@ -45,6 +35,16 @@ function getLastArgEqualsValue(args, prefix) {
   return undefined;
 }
 
-export function getMalwareAction() {
-  return state.malwareAction;
+function setLoggingLevel(args) {
+  const safeChainLoggingArg = SAFE_CHAIN_ARG_PREFIX + "logging=";
+
+  const level = getLastArgEqualsValue(args, safeChainLoggingArg);
+  if (!level) {
+    return;
+  }
+  state.loggingLevel = level.toLowerCase();
+}
+
+export function getLoggingLevel() {
+  return state.loggingLevel;
 }

package/src/config/settings.js

@@ -1,14 +1,14 @@
 import * as cliArguments from "./cliArguments.js";
 
-export function getMalwareAction() {
-  const action = cliArguments.getMalwareAction();
+export function getLoggingLevel() {
+  const level = cliArguments.getLoggingLevel();
 
-  if (action === MALWARE_ACTION_PROMPT) {
-    return MALWARE_ACTION_PROMPT;
+  if (level === LOGGING_SILENT) {
+    return LOGGING_SILENT;
   }
 
-  return MALWARE_ACTION_BLOCK;
+  return LOGGING_NORMAL;
 }
 
-export const MALWARE_ACTION_BLOCK = "block";
-export const MALWARE_ACTION_PROMPT = "prompt";
+export const LOGGING_SILENT = "silent";
+export const LOGGING_NORMAL = "normal";

package/src/environment/userInteraction.js

@@ -1,18 +1,28 @@
 // oxlint-disable no-console
 import chalk from "chalk";
 import ora from "ora";
-import { createInterface } from "readline";
 import { isCi } from "./environment.js";
+import { getLoggingLevel, LOGGING_SILENT } from "../config/settings.js";
+
+function isSilentMode() {
+  return getLoggingLevel() === LOGGING_SILENT;
+}
 
 function emptyLine() {
+  if (isSilentMode()) return;
+
   writeInformation("");
 }
 
 function writeInformation(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
   console.log(message, ...optionalParams);
 }
 
 function writeWarning(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
   if (!isCi()) {
     message = chalk.yellow(message);
   }
@@ -26,7 +36,24 @@ function writeError(message, ...optionalParams) {
   console.error(message, ...optionalParams);
 }
 
+function writeExitWithoutInstallingMaliciousPackages() {
+  let message = "Safe-chain: Exiting without installing malicious packages.";
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  console.error(message);
+}
+
 function startProcess(message) {
+  if (isSilentMode()) {
+    return {
+      succeed: () => {},
+      fail: () => {},
+      stop: () => {},
+      setText: () => {},
+    };
+  }
+
   if (isCi()) {
     return {
       succeed: (message) => {
@@ -59,39 +86,11 @@ function startProcess(message) {
   }
 }
 
-async function confirm(config) {
-  if (isCi()) {
-    return Promise.resolve(config.default);
-  }
-
-  const rl = createInterface({
-    input: process.stdin,
-    output: process.stdout,
-  });
-
-  return new Promise((resolve) => {
-    const defaultText = config.default ? " (Y/n)" : " (y/N)";
-    rl.question(`${config.message}${defaultText} `, (answer) => {
-      rl.close();
-
-      const normalizedAnswer = answer.trim().toLowerCase();
-
-      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
-        resolve(true);
-      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
-        resolve(false);
-      } else {
-        resolve(config.default);
-      }
-    });
-  });
-}
-
 export const ui = {
   writeInformation,
   writeWarning,
   writeError,
+  writeExitWithoutInstallingMaliciousPackages,
   emptyLine,
   startProcess,
-  confirm,
 };

package/src/main.js

@@ -11,6 +11,21 @@ export async function main(args) {
   const proxy = createSafeChainProxy();
   await proxy.startServer();
 
+  // Global error handlers to log unhandled errors
+  process.on("uncaughtException", (error) => {
+    ui.writeError(`Safe-chain: Uncaught exception: ${error.message}`);
+    ui.writeVerbose(`Stack trace: ${error.stack}`);
+    process.exit(1);
+  });
+
+  process.on("unhandledRejection", (reason) => {
+    ui.writeError(`Safe-chain: Unhandled promise rejection: ${reason}`);
+    if (reason instanceof Error) {
+      ui.writeVerbose(`Stack trace: ${reason.stack}`);
+    }
+    process.exit(1);
+  });
+
   try {
     // This parses all the --safe-chain arguments and removes them from the args array
     args = initializeCliArguments(args);

package/src/registryProxy/mitmRequestHandler.js

@@ -1,6 +1,7 @@
 import https from "https";
 import { generateCertForHost } from "./certUtils.js";
 import { HttpsProxyAgent } from "https-proxy-agent";
+import { ui } from "../environment/userInteraction.js";
 
 export function mitmConnect(req, clientSocket, isAllowed) {
   const { hostname } = new URL(`http://${req.url}`);
@@ -13,6 +14,15 @@ export function mitmConnect(req, clientSocket, isAllowed) {
 
   const server = createHttpsServer(hostname, isAllowed);
 
+  server.on("error", (err) => {
+    ui.writeError(`Safe-chain: HTTPS server error: ${err.message}`);
+    if (!clientSocket.headersSent) {
+      clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    } else if (clientSocket.writable) {
+      clientSocket.end();
+    }
+  });
+
   // Establish the connection
   clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
 
@@ -37,13 +47,15 @@ function createHttpsServer(hostname, isAllowed) {
     forwardRequest(req, hostname, res);
   }
 
-  return https.createServer(
+  const server = https.createServer(
     {
       key: cert.privateKey,
       cert: cert.certificate,
     },
     handleRequest
   );
+
+  return server;
 }
 
 function getRequestPathAndQuery(url) {
@@ -62,6 +74,11 @@ function forwardRequest(req, hostname, res) {
     res.end("Bad Gateway");
   });
 
+  req.on("error", (err) => {
+    ui.writeError(`Safe-chain: Error reading client request: ${err.message}`);
+    proxyReq.destroy();
+  });
+
   req.on("data", (chunk) => {
     proxyReq.write(chunk);
   });
@@ -88,6 +105,16 @@ function createProxyRequest(hostname, req, res) {
   }
 
   const proxyReq = https.request(options, (proxyRes) => {
+    proxyRes.on("error", (err) => {
+      ui.writeError(
+        `Safe-chain: Error reading upstream response: ${err.message}`
+      );
+      if (!res.headersSent) {
+        res.writeHead(502);
+        res.end("Bad Gateway");
+      }
+    });
+
     res.writeHead(proxyRes.statusCode, proxyRes.headers);
     proxyRes.pipe(res);
   });

package/src/registryProxy/plainHttpProxy.js

@@ -43,8 +43,13 @@ export function handleHttpProxyRequest(req, res) {
       }
     )
     .on("error", (err) => {
-      res.writeHead(502);
-      res.end(`Bad Gateway: ${err.message}`);
+      if (!res.headersSent) {
+        res.writeHead(502);
+        res.end(`Bad Gateway: ${err.message}`);
+      } else {
+        // Headers already sent, just destroy the response
+        res.destroy();
+      }
     });
 
   req.on("error", () => {

package/src/registryProxy/registryProxy.js

@@ -153,7 +153,7 @@ function verifyNoMaliciousPackages() {
   }
 
   ui.emptyLine();
-  ui.writeError("Exiting without installing malicious packages.");
+  ui.writeExitWithoutInstallingMaliciousPackages();
   ui.emptyLine();
 
   return false;

package/src/registryProxy/tunnelRequestHandler.js

@@ -24,12 +24,6 @@ export function tunnelRequest(req, clientSocket, head) {
 function tunnelRequestToDestination(req, clientSocket, head) {
   const { port, hostname } = new URL(`http://${req.url}`);
 
-  clientSocket.on("error", () => {
-    // NO-OP
-    // This can happen if the client TCP socket sends RST instead of FIN.
-    // Not subscribing to 'close' event will cause node to throw and crash.
-  });
-
   const serverSocket = net.connect(port || 443, hostname, () => {
     clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
     serverSocket.write(head);
@@ -37,6 +31,14 @@ function tunnelRequestToDestination(req, clientSocket, head) {
     clientSocket.pipe(serverSocket);
   });
 
+  clientSocket.on("error", () => {
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'error' event will cause node to throw and crash.
+    if (serverSocket.writable) {
+      serverSocket.end();
+    }
+  });
+
   serverSocket.on("error", (err) => {
     ui.writeError(
       `Safe-chain: error connecting to ${hostname}:${port} - ${err.message}`
@@ -103,6 +105,13 @@ function tunnelRequestViaProxy(req, clientSocket, head, proxyUrl) {
       if (clientSocket.writable) {
         clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
       }
+    } else {
+      ui.writeError(
+        `Safe-chain: proxy socket error after connection - ${err.message}`
+      );
+      if (clientSocket.writable) {
+        clientSocket.end();
+      }
     }
   });
 

package/src/scanning/index.js

@@ -4,7 +4,6 @@ import { setTimeout } from "timers/promises";
 import chalk from "chalk";
 import { getPackageManager } from "../packagemanager/currentPackageManager.js";
 import { ui } from "../environment/userInteraction.js";
-import { getMalwareAction, MALWARE_ACTION_PROMPT } from "../config/settings.js";
 
 export function shouldScanCommand(args) {
   if (!args || args.length === 0) {
@@ -65,7 +64,8 @@ export async function scanCommand(args) {
     return 0;
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
-    return await onMalwareFound();
+    onMalwareFound();
+    return 1;
   }
 }
 
@@ -77,23 +77,8 @@ function printMaliciousChanges(changes, spinner) {
   }
 }
 
-async function onMalwareFound() {
+function onMalwareFound() {
   ui.emptyLine();
-
-  if (getMalwareAction() === MALWARE_ACTION_PROMPT) {
-    const continueInstall = await ui.confirm({
-      message:
-        "Malicious packages were found. Do you want to continue with the installation?",
-      default: false,
-    });
-
-    if (continueInstall) {
-      ui.writeWarning("Continuing with the installation despite the risks...");
-      return 0;
-    }
-  }
-
-  ui.writeError("Exiting without installing malicious packages.");
+  ui.writeExitWithoutInstallingMaliciousPackages();
   ui.emptyLine();
-  return 1;
 }

package/src/utils/safeSpawn.js

@@ -1,22 +1,77 @@
-import { spawn } from "child_process";
+import { spawn, execSync } from "child_process";
+import os from "os";
 
-function escapeArg(arg) {
-  // If argument contains spaces or quotes, wrap in double quotes and escape double quotes
-  if (arg.includes(" ") || arg.includes('"') || arg.includes("'")) {
-    return '"' + arg.replaceAll('"', '\\"') + '"';
+function sanitizeShellArgument(arg) {
+  // If argument contains shell metacharacters, wrap in double quotes
+  // and escape characters that are special even inside double quotes
+  if (hasShellMetaChars(arg)) {
+    // Inside double quotes, we need to escape: " $ ` \
+    return '"' + escapeDoubleQuoteContent(arg) + '"';
   }
   return arg;
 }
 
+function hasShellMetaChars(arg) {
+  // Shell metacharacters that need escaping
+  // These characters have special meaning in shells and need to be quoted
+  // Whenever one of these characters is present, we should quote the argument
+  // Characters: space, ", &, ', |, ;, <, >, (, ), $, `, \, !, *, ?, [, ], {, }, ~, #
+  const shellMetaChars = /[ "&'|;<>()$`\\!*?[\]{}~#]/;
+  return shellMetaChars.test(arg);
+}
+
+function escapeDoubleQuoteContent(arg) {
+  // Escape special characters for shell safety
+  // This escapes ", $, `, and \ by prefixing them with a backslash
+  return arg.replace(/(["`$\\])/g, "\\$1");
+}
+
 function buildCommand(command, args) {
-  const escapedArgs = args.map(escapeArg);
+  if (args.length === 0) {
+    return command;
+  }
+
+  const escapedArgs = args.map(sanitizeShellArgument);
+
   return `${command} ${escapedArgs.join(" ")}`;
 }
 
+function resolveCommandPath(command) {
+  // command will be "npm", "yarn", etc.
+  // Use 'command -v' to find the full path
+  const fullPath = execSync(`command -v ${command}`, {
+    encoding: "utf8",
+    shell: true,
+  }).trim();
+
+  if (!fullPath) {
+    throw new Error(`Command not found: ${command}`);
+  }
+
+  return fullPath;
+}
+
 export async function safeSpawn(command, args, options = {}) {
-  const fullCommand = buildCommand(command, args);
+  // The command is always one of our supported package managers.
+  // It should always be alphanumeric or _ or -
+  // Reject any command names with suspicious characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
+    throw new Error(`Invalid command name: ${command}`);
+  }
+
   return new Promise((resolve, reject) => {
-    const child = spawn(fullCommand, { ...options, shell: true });
+    // Windows requires shell: true because .bat and .cmd files are not executable
+    // without a terminal. On Unix/macOS, we resolve the full path first, then use
+    // array args (safer, no escaping needed).
+    // See: https://nodejs.org/api/child_process.html#child_processspawncommand-args-options
+    let child;
+    if (os.platform() === "win32") {
+      const fullCommand = buildCommand(command, args);
+      child = spawn(fullCommand, { ...options, shell: true });
+    } else {
+      const fullPath = resolveCommandPath(command);
+      child = spawn(fullPath, args, options);
+    }
 
     // When stdio is piped, we need to collect the output
     let stdout = "";