@aikidosec/safe-chain 1.4.1 → 1.4.3

package/src/config/settings.js

@@ -7,14 +7,20 @@ export const LOGGING_NORMAL = "normal";
 export const LOGGING_VERBOSE = "verbose";
 
 export function getLoggingLevel() {
-  const level = cliArguments.getLoggingLevel();
-
-  if (level === LOGGING_SILENT) {
-    return LOGGING_SILENT;
+  // Priority 1: CLI argument
+  const cliLevel = cliArguments.getLoggingLevel();
+  if (cliLevel === LOGGING_SILENT || cliLevel === LOGGING_VERBOSE) {
+    return cliLevel;
+  }
+  if (cliLevel) {
+    // CLI arg was set but invalid, default to normal for backwards compatibility.
+    return LOGGING_NORMAL;
   }
 
-  if (level === LOGGING_VERBOSE) {
-    return LOGGING_VERBOSE;
+  // Priority 2: Environment variable
+  const envLevel = environmentVariables.getLoggingLevel()?.toLowerCase();
+  if (envLevel === LOGGING_SILENT || envLevel === LOGGING_VERBOSE) {
+    return envLevel;
   }
 
   return LOGGING_NORMAL;
@@ -161,3 +167,34 @@ export function getPipCustomRegistries() {
   // Normalize each registry (remove protocol if any)
   return uniqueRegistries.map(normalizeRegistry);
 }
+
+/**
+ * Parses comma-separated exclusions from environment variable
+ * @param {string | undefined} envValue
+ * @returns {string[]}
+ */
+function parseExclusionsFromEnv(envValue) {
+  if (!envValue || typeof envValue !== "string") {
+    return [];
+  }
+
+  return envValue
+    .split(",")
+    .map((exclusion) => exclusion.trim())
+    .filter((exclusion) => exclusion.length > 0);
+}
+
+/**
+ * Gets the minimum package age exclusions from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getNpmMinimumPackageAgeExclusions() {
+  const envExclusions = parseExclusionsFromEnv(
+    environmentVariables.getNpmMinimumPackageAgeExclusions()
+  );
+  const configExclusions = configFile.getNpmMinimumPackageAgeExclusions();
+
+  // Merge both sources and remove duplicates
+  const allExclusions = [...envExclusions, ...configExclusions];
+  return [...new Set(allExclusions)];
+}

package/src/installation/downloadAgent.js

@@ -0,0 +1,125 @@
+import { createWriteStream, createReadStream } from "fs";
+import { createHash } from "crypto";
+import { pipeline } from "stream/promises";
+import fetch from "make-fetch-happen";
+
+const ULTIMATE_VERSION = "v1.0.0";
+
+export const DOWNLOAD_URLS = {
+  win32: {
+    x64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-amd64.msi`,
+      checksum:
+        "sha256:c6a36f9b8e55ab6b7e8742cbabc4469d85809237c0f5e6c21af20b36c416ee1d",
+    },
+    arm64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-arm64.msi`,
+      checksum:
+        "sha256:46acd1af6a9938ea194c8ee8b34ca9b47c8de22e088a0791f3c0751dd6239c90",
+    },
+  },
+  darwin: {
+    x64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-amd64.pkg`,
+      checksum:
+        "sha256:bb1829e8ca422e885baf37bef08dcbe7df7a30f248e2e89c4071564f7d4f3396",
+    },
+    arm64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-arm64.pkg`,
+      checksum:
+        "sha256:7fe4a785709911cc366d8224b4c290677573b8c4833bd9054768299e55c5f0ed",
+    },
+  },
+};
+
+/**
+ * Builds the download URL for the SafeChain Agent installer.
+ * @param {string} fileName
+ */
+export function getAgentDownloadUrl(fileName) {
+  return `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/${fileName}`;
+}
+
+/**
+ * Downloads a file from a URL to a local path.
+ * @param {string} url
+ * @param {string} destPath
+ */
+export async function downloadFile(url, destPath) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Download failed: ${response.statusText}`);
+  }
+  await pipeline(response.body, createWriteStream(destPath));
+}
+
+/**
+ * Returns the current agent version.
+ */
+export function getAgentVersion() {
+  return ULTIMATE_VERSION;
+}
+
+/**
+ * Returns download info (url, checksum) for the current OS and architecture.
+ * @returns {{ url: string, checksum: string } | null}
+ */
+export function getDownloadInfoForCurrentPlatform() {
+  const platform = process.platform;
+  const arch = process.arch;
+
+  if (!Object.hasOwn(DOWNLOAD_URLS, platform)) {
+    return null;
+  }
+  const platformUrls =
+    DOWNLOAD_URLS[/** @type {keyof typeof DOWNLOAD_URLS} */ (platform)];
+
+  if (!Object.hasOwn(platformUrls, arch)) {
+    return null;
+  }
+
+  return platformUrls[/** @type {keyof typeof platformUrls} */ (arch)];
+}
+
+/**
+ * Verifies the checksum of a file.
+ * @param {string} filePath
+ * @param {string} expectedChecksum - Format: "algorithm:hash" (e.g., "sha256:abc123...")
+ * @returns {Promise<boolean>}
+ */
+export async function verifyChecksum(filePath, expectedChecksum) {
+  const [algorithm, expected] = expectedChecksum.split(":");
+
+  const hash = createHash(algorithm);
+
+  if (filePath.includes("..")) throw new Error("Invalid file path");
+  const stream = createReadStream(filePath);
+
+  for await (const chunk of stream) {
+    hash.update(chunk);
+  }
+
+  const actual = hash.digest("hex");
+  return actual === expected;
+}
+
+/**
+ * Downloads the SafeChain agent for the current OS/arch and verifies its checksum.
+ * @param {string} fileName - Destination file path
+ * @returns {Promise<string | null>} The file path if successful, null if no download URL for current platform
+ */
+export async function downloadAgentToFile(fileName) {
+  const info = getDownloadInfoForCurrentPlatform();
+  if (!info) {
+    return null;
+  }
+
+  await downloadFile(info.url, fileName);
+
+  const isValid = await verifyChecksum(fileName, info.checksum);
+  if (!isValid) {
+    throw new Error("Checksum verification failed");
+  }
+
+  return fileName;
+}

package/src/installation/installOnMacOS.js

@@ -0,0 +1,155 @@
+import { tmpdir } from "os";
+import { unlinkSync } from "fs";
+import { join } from "path";
+import { execSync, spawnSync } from "child_process";
+import { ui } from "../environment/userInteraction.js";
+import { printVerboseAndSafeSpawn } from "../utils/safeSpawn.js";
+import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
+import chalk from "chalk";
+
+const MACOS_PKG_IDENTIFIER = "com.aikidosecurity.safechainultimate";
+
+/**
+ * Checks if root privileges are available and displays error message if not.
+ * @param {string} command - The sudo command to show in the error message
+ * @returns {boolean} True if running as root, false otherwise.
+ */
+function requireRootPrivileges(command) {
+  if (isRunningAsRoot()) {
+    return true;
+  }
+
+  ui.writeError("Root privileges required.");
+  ui.writeInformation("Please run this command with sudo:");
+  ui.writeInformation(`  ${command}`);
+  return false;
+}
+
+function isRunningAsRoot() {
+  const rootUserUid = 0;
+  return process.getuid?.() === rootUserUid;
+}
+
+export async function installOnMacOS() {
+  if (!requireRootPrivileges("sudo safe-chain ultimate")) {
+    return;
+  }
+
+  const pkgPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.pkg`);
+
+  ui.emptyLine();
+  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
+  ui.writeVerbose(`Destination: ${pkgPath}`);
+
+  const result = await downloadAgentToFile(pkgPath);
+  if (!result) {
+    ui.writeError("No download available for this platform/architecture.");
+    return;
+  }
+
+  try {
+    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
+    await runPkgInstaller(pkgPath);
+
+    ui.emptyLine();
+    ui.writeInformation(
+      "✅ SafeChain Ultimate installed and started successfully!",
+    );
+    ui.emptyLine();
+    ui.writeInformation(
+      chalk.cyan("🔐 ") +
+        chalk.bold("ACTION REQUIRED: ") +
+        "macOS will show a popup to install our certificate.",
+    );
+    ui.writeInformation(
+      "   " +
+        chalk.bold("Please accept the certificate") +
+        " to complete the installation.",
+    );
+    ui.emptyLine();
+  } finally {
+    ui.writeVerbose(`Cleaning up temporary file: ${pkgPath}`);
+    cleanup(pkgPath);
+  }
+}
+
+const MACOS_UNINSTALL_SCRIPT =
+  "/Library/Application\\ Support/AikidoSecurity/SafeChainUltimate/scripts/uninstall";
+
+export async function uninstallOnMacOS() {
+  if (!requireRootPrivileges("sudo safe-chain ultimate uninstall")) {
+    return;
+  }
+
+  ui.emptyLine();
+
+  if (!isPackageInstalled()) {
+    ui.writeInformation("SafeChain Ultimate is not installed.");
+    return;
+  }
+
+  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
+  ui.writeVerbose(`Running: ${MACOS_UNINSTALL_SCRIPT}`);
+
+  const result = spawnSync(MACOS_UNINSTALL_SCRIPT, {
+    stdio: "inherit",
+    shell: true,
+  });
+
+  if (result.status !== 0) {
+    ui.writeError(
+      `Uninstall script failed (exit code: ${result.status}). Please try again or remove manually.`,
+    );
+    return;
+  }
+
+  ui.emptyLine();
+  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
+  ui.emptyLine();
+}
+
+function isPackageInstalled() {
+  try {
+    const output = execSync(`pkgutil --pkg-info ${MACOS_PKG_IDENTIFIER}`, {
+      encoding: "utf8",
+      stdio: "pipe",
+    });
+    return output.includes(MACOS_PKG_IDENTIFIER);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * @param {string} pkgPath
+ */
+async function runPkgInstaller(pkgPath) {
+  // Uses installer to install the package (https://ss64.com/mac/installer.html)
+  // Options:
+  //  -pkg (required):    The package to be installed.
+  //  -target (required): The target volume is specified with the -target parameter.
+  //                       --> "-target /" installs to the current boot volume.
+
+  const result = await printVerboseAndSafeSpawn(
+    "installer",
+    ["-pkg", pkgPath, "-target", "/"],
+    {
+      stdio: "inherit",
+    },
+  );
+
+  if (result.status !== 0) {
+    throw new Error(`PKG installer failed (exit code: ${result.status})`);
+  }
+}
+
+/**
+ * @param {string} pkgPath
+ */
+function cleanup(pkgPath) {
+  try {
+    unlinkSync(pkgPath);
+  } catch {
+    ui.writeVerbose("Failed to clean up temporary installer file.");
+  }
+}

package/src/installation/installOnWindows.js

@@ -0,0 +1,203 @@
+import { tmpdir } from "os";
+import { unlinkSync } from "fs";
+import { join } from "path";
+import { execSync } from "child_process";
+import { ui } from "../environment/userInteraction.js";
+import { printVerboseAndSafeSpawn, safeSpawn } from "../utils/safeSpawn.js";
+import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
+
+const WINDOWS_SERVICE_NAME = "SafeChainUltimate";
+const WINDOWS_APP_NAME = "SafeChain Ultimate";
+
+export async function uninstallOnWindows() {
+  if (!(await requireAdminPrivileges())) {
+    return;
+  }
+
+  ui.emptyLine();
+
+  const productCode = getInstalledProductCode();
+  if (!productCode) {
+    ui.writeInformation("SafeChain Ultimate is not installed.");
+    return;
+  }
+
+  await stopServiceIfRunning();
+
+  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
+  await uninstallByProductCode(productCode);
+
+  ui.emptyLine();
+  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
+  ui.emptyLine();
+}
+
+export async function installOnWindows() {
+  if (!(await requireAdminPrivileges())) {
+    return;
+  }
+
+  const msiPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.msi`);
+
+  ui.emptyLine();
+  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
+  ui.writeVerbose(`Destination: ${msiPath}`);
+
+  const result = await downloadAgentToFile(msiPath);
+  if (!result) {
+    ui.writeError("No download available for this platform/architecture.");
+    return;
+  }
+
+  try {
+    ui.emptyLine();
+    await stopServiceIfRunning();
+    await uninstallIfInstalled();
+
+    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
+    await runMsiInstaller(msiPath);
+
+    ui.emptyLine();
+    ui.writeInformation(
+      "✅ SafeChain Ultimate installed and started successfully!",
+    );
+    ui.emptyLine();
+  } finally {
+    ui.writeVerbose(`Cleaning up temporary file: ${msiPath}`);
+    cleanup(msiPath);
+  }
+}
+
+/**
+ * Checks if admin privileges are available and displays error message if not.
+ * @returns {Promise<boolean>} True if running as admin, false otherwise.
+ */
+async function requireAdminPrivileges() {
+  if (await isRunningAsAdmin()) {
+    return true;
+  }
+
+  ui.writeError("Administrator privileges required.");
+  ui.writeInformation(
+    "Please run this command in an elevated terminal (Run as Administrator).",
+  );
+  return false;
+}
+
+async function isRunningAsAdmin() {
+  // Uses Windows Security API to check if current process has admin privileges.
+  // Returns "True" or "False" as a string.
+  const result = await safeSpawn(
+    "powershell",
+    [
+      "-Command",
+      "([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)",
+    ],
+    { stdio: "pipe" },
+  );
+
+  return result.status === 0 && result.stdout.trim() === "True";
+}
+
+/**
+ * Returns the MSI product code for SafeChain Ultimate, or null if not installed.
+ * @returns {string | null}
+ */
+function getInstalledProductCode() {
+  // Query Win32_Product via WMI to find the installed SafeChain Agent.
+  // If found, outputs the product GUID (e.g., "{12345678-1234-...}") needed for msiexec uninstall.
+  ui.writeVerbose(`Finding product code with PowerShell`);
+
+  let productCode;
+  try {
+    productCode = execSync(
+      `powershell -Command "$app = Get-WmiObject -Class Win32_Product -Filter \\"Name='${WINDOWS_APP_NAME}'\\"; if ($app) { Write-Output $app.IdentifyingNumber }"`,
+      { encoding: "utf8" },
+    ).trim();
+  } catch {
+    return null;
+  }
+  return productCode || null;
+}
+
+/**
+ * @param {string} productCode
+ */
+async function uninstallByProductCode(productCode) {
+  ui.writeVerbose(`Found product code: ${productCode}`);
+
+  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
+  // Options:
+  //  - /x:         Uninstalls the package.
+  //  - /qn:        Specifies there's no UI during the installation process.
+  //  - /norestart: Stops the device from restarting after the installation completes.
+  const uninstallResult = await printVerboseAndSafeSpawn(
+    "msiexec",
+    ["/x", productCode, "/qn", "/norestart"],
+    { stdio: "inherit" },
+  );
+
+  if (uninstallResult.status !== 0) {
+    throw new Error(`Uninstall failed (exit code: ${uninstallResult.status})`);
+  }
+}
+
+async function uninstallIfInstalled() {
+  const productCode = getInstalledProductCode();
+  if (!productCode) {
+    ui.writeVerbose("No existing installation found (fresh install).");
+    return;
+  }
+
+  ui.writeInformation("🗑️  Removing previous installation...");
+  await uninstallByProductCode(productCode);
+}
+
+/**
+ * @param {string} msiPath
+ */
+async function runMsiInstaller(msiPath) {
+  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
+  // Options:
+  //  - /i:  Specifies normal installation
+  //  - /qn: Specifies there's no UI during the installation process.
+
+  const result = await printVerboseAndSafeSpawn(
+    "msiexec",
+    ["/i", msiPath, "/qn"],
+    {
+      stdio: "inherit",
+    },
+  );
+
+  if (result.status !== 0) {
+    throw new Error(`MSI installer failed (exit code: ${result.status})`);
+  }
+}
+
+async function stopServiceIfRunning() {
+  ui.writeInformation("⏹️  Stopping running service...");
+
+  const result = await printVerboseAndSafeSpawn(
+    "net",
+    ["stop", WINDOWS_SERVICE_NAME],
+    {
+      stdio: "pipe",
+    },
+  );
+
+  if (result.status !== 0) {
+    ui.writeVerbose("Service not running (will start after installation).");
+  }
+}
+
+/**
+ * @param {string} msiPath
+ */
+function cleanup(msiPath) {
+  try {
+    unlinkSync(msiPath);
+  } catch {
+    ui.writeVerbose("Failed to clean up temporary installer file.");
+  }
+}

package/src/installation/installUltimate.js

@@ -0,0 +1,35 @@
+import { platform } from "os";
+import { ui } from "../environment/userInteraction.js";
+import { initializeCliArguments } from "../config/cliArguments.js";
+import { installOnWindows, uninstallOnWindows } from "./installOnWindows.js";
+import { installOnMacOS, uninstallOnMacOS } from "./installOnMacOS.js";
+
+export async function uninstallUltimate() {
+  initializeCliArguments(process.argv);
+
+  const operatingSystem = platform();
+
+  if (operatingSystem === "win32") {
+    await uninstallOnWindows();
+  } else if (operatingSystem === "darwin") {
+    await uninstallOnMacOS();
+  } else {
+    ui.writeInformation(
+      `Uninstall is not yet supported on ${operatingSystem}.`,
+    );
+  }
+}
+
+export async function installUltimate() {
+  const operatingSystem = platform();
+
+  if (operatingSystem === "win32") {
+    await installOnWindows();
+  } else if (operatingSystem === "darwin") {
+    await installOnMacOS();
+  } else {
+    ui.writeInformation(
+      `${operatingSystem} is not supported yet by SafeChain's ultimate version.`,
+    );
+  }
+}

package/src/main.js

@@ -73,20 +73,20 @@ export async function main(args) {
       ui.writeVerbose(
         `${chalk.green("✔")} Safe-chain: Scanned ${
           auditStats.totalPackages
-        } packages, no malware found.`
+        } packages, no malware found.`,
       );
     }
 
     if (proxy.hasSuppressedVersions()) {
       ui.writeInformation(
         `${chalk.yellow(
-          "ℹ"
-        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`
+          "ℹ",
+        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`,
       );
       ui.writeInformation(
         `  To disable this check, use: ${chalk.cyan(
-          "--safe-chain-skip-minimum-package-age"
-        )}`
+          "--safe-chain-skip-minimum-package-age",
+        )}`,
       );
     }
 

package/src/registryProxy/interceptors/npm/modifyNpmInfo.js

@@ -1,4 +1,4 @@
-import { getMinimumPackageAgeHours } from "../../../config/settings.js";
+import { getMinimumPackageAgeHours, getNpmMinimumPackageAgeExclusions } from "../../../config/settings.js";
 import { ui } from "../../../environment/userInteraction.js";
 import { getHeaderValueAsString } from "../../http-utils.js";
 
@@ -65,6 +65,16 @@ export function modifyNpmInfoResponse(body, headers) {
       return body;
     }
 
+    // Check if this package is excluded from minimum age filtering
+    const packageName = bodyJson.name;
+    const exclusions = getNpmMinimumPackageAgeExclusions();
+    if (packageName && exclusions.some((pattern) => matchesExclusionPattern(packageName, pattern))) {
+      ui.writeVerbose(
+        `Safe-chain: ${packageName} is excluded from minimum package age filtering (minimumPackageAgeExclusions setting).`
+      );
+      return body;
+    }
+
     const cutOff = new Date(
       new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
     );
@@ -116,8 +126,10 @@ export function modifyNpmInfoResponse(body, headers) {
 function deleteVersionFromJson(json, version) {
   state.hasSuppressedVersions = true;
 
+  const packageName = typeof json?.name === "string" ? json.name : "(unknown)";
+
   ui.writeVerbose(
-    `Safe-chain: ${version} is newer than ${getMinimumPackageAgeHours()} hours and was removed (minimumPackageAgeInHours setting).`
+    `Safe-chain: ${packageName}@${version} is newer than ${getMinimumPackageAgeHours()} hours and was removed (minimumPackageAgeInHours setting).`
   );
 
   delete json.time[version];
@@ -175,3 +187,17 @@ function getMostRecentTag(tagList) {
 export function getHasSuppressedVersions() {
   return state.hasSuppressedVersions;
 }
+
+/**
+ * Checks if a package name matches an exclusion pattern.
+ * Supports trailing wildcard (*) for prefix matching.
+ * @param {string} packageName
+ * @param {string} pattern
+ * @returns {boolean}
+ */
+function matchesExclusionPattern(packageName, pattern) {
+  if (pattern.endsWith("/*")) {
+    return packageName.startsWith(pattern.slice(0, -1));
+  }
+  return packageName === pattern;
+}