@aikidosec/safe-chain 1.4.2 → 1.4.3

package/README.md

@@ -66,7 +66,6 @@ You can find all available versions on the [releases page](https://github.com/Ai
 ### Verify the installation
 
 1. **❗Restart your terminal** to start using the Aikido Safe Chain.
-
    - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, poetry, uv and pipx are loaded correctly. If you do not restart your terminal, the aliases will not be available.
 
 2. **Verify the installation** by running the verification command:
@@ -159,7 +158,6 @@ You can control the output from Aikido Safe Chain using the `--safe-chain-loggin
 You can set the logging level through multiple sources (in order of priority):
 
 1. **CLI Argument** (highest priority):
-
    - `--safe-chain-logging=silent` - Suppresses all Aikido Safe Chain output except when malware is blocked. The package manager output is written to stdout as normal, and Safe Chain only writes a short message if it has blocked malware and causes the process to exit.
 
      ```shell
@@ -288,6 +286,7 @@ iex "& { $(iwr 'https://github.com/AikidoSec/safe-chain/releases/latest/download
 - ✅ **CircleCI**
 - ✅ **Jenkins**
 - ✅ **Bitbucket Pipelines**
+- ✅ **GitLab Pipelines**
 
 ## GitHub Actions Example
 
@@ -386,14 +385,76 @@ steps:
   - step:
       name: Install
       script:
-        - npm install -g @aikidosec/safe-chain
-        - safe-chain setup-ci
+        - curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
         - export PATH=~/.safe-chain/shims:$PATH
         - npm ci
 ```
 
 After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.
 
+## GitLab Pipelines Example
+
+To add safe-chain in GitLab pipelines, you need to install it in the image running the pipeline. This can be done by:
+
+1. Define a dockerfile to run your build
+
+   ```dockerfile
+   FROM node:lts
+
+   # Install safe-chain
+   RUN curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
+
+   # Add safe-chain to PATH
+   ENV PATH="/root/.safe-chain/shims:/root/.safe-chain/bin:${PATH}"
+   ```
+
+2. Build the Docker image in your CI pipeline
+
+   ```yaml
+   build-image:
+     stage: build-image
+     image: docker:latest
+     services:
+       - docker:dind
+     script:
+       - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+       - docker build -t $CI_REGISTRY_IMAGE:latest .
+       - docker push $CI_REGISTRY_IMAGE:latest
+   ```
+
+3. Use the image in your pipeline:
+   ```yaml
+   npm-ci:
+     stage: install
+     image: $CI_REGISTRY_IMAGE:latest
+     script:
+       - npm ci
+   ```
+
+The full pipeline for this example looks like this:
+
+```yaml
+stages:
+  - build-image
+  - install
+
+build-image:
+  stage: build-image
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker build -t $CI_REGISTRY_IMAGE:latest .
+    - docker push $CI_REGISTRY_IMAGE:latest
+
+npm-ci:
+  stage: install
+  image: $CI_REGISTRY_IMAGE:latest
+  script:
+    - npm ci
+```
+
 # Troubleshooting
 
-Having issues? See the [Troubleshooting Guide](https://github.com/AikidoSec/safe-chain/blob/main/docs/troubleshooting.md) for help with common problems.
+Having issues? See the [Troubleshooting Guide](https://help.aikido.dev/code-scanning/aikido-malware-scanning/safe-chain-troubleshooting) for help with common problems.

package/bin/safe-chain.js

@@ -16,6 +16,14 @@ import path from "path";
 import { fileURLToPath } from "url";
 import fs from "fs";
 import { knownAikidoTools } from "../src/shell-integration/helpers.js";
+import {
+  installUltimate,
+  uninstallUltimate,
+} from "../src/installation/installUltimate.js";
+import {
+  printUltimateLogs,
+  troubleshootingExport,
+} from "../src/ultimate/ultimateTroubleshooting.js";
 
 /** @type {string} */
 // This checks the current file's dirname in a way that's compatible with:
@@ -62,9 +70,42 @@ if (tool) {
   process.exit(0);
 } else if (command === "setup") {
   setup();
+} else if (command === "ultimate") {
+  const cliArgs = initializeCliArguments(process.argv.slice(2));
+  const subCommand = cliArgs[1];
+  if (subCommand === "uninstall") {
+    guardCliArgsMaxLenght(2, cliArgs, "safe-chain ultimate uninstall");
+    (async () => {
+      await uninstallUltimate();
+    })();
+  } else if (subCommand === "troubleshooting-logs") {
+    guardCliArgsMaxLenght(
+      2,
+      cliArgs,
+      "safe-chain ultimate troubleshooting-logs",
+    );
+    (async () => {
+      await printUltimateLogs();
+    })();
+  } else if (subCommand === "troubleshooting-export") {
+    guardCliArgsMaxLenght(
+      2,
+      cliArgs,
+      "safe-chain ultimate troubleshooting-export",
+    );
+    (async () => {
+      await troubleshootingExport();
+    })();
+  } else {
+    guardCliArgsMaxLenght(1, cliArgs, "safe-chain ultimate");
+    // Install command = when no subcommand is provided (safe-chain ultimate)
+    (async () => {
+      await installUltimate();
+    })();
+  }
 } else if (command === "teardown") {
-  teardownDirectories();
   teardown();
+  teardownDirectories();
 } else if (command === "setup-ci") {
   setupCi();
 } else if (command === "--version" || command === "-v" || command === "-v") {
@@ -80,38 +121,77 @@ if (tool) {
   process.exit(1);
 }
 
+/**
+ * @param {Number} maxLength
+ * @param {String[]} args
+ * @param {String} command
+ */
+function guardCliArgsMaxLenght(maxLength, args, command) {
+  if (args.length > maxLength) {
+    ui.writeError(`Unexpected number of arguments for command ${command}.`);
+    ui.emptyLine();
+
+    writeHelp();
+
+    process.exit(1);
+  }
+}
+
 function writeHelp() {
   ui.writeInformation(
-    chalk.bold("Usage: ") + chalk.cyan("safe-chain <command>")
+    chalk.bold("Usage: ") + chalk.cyan("safe-chain <command>"),
   );
   ui.emptyLine();
   ui.writeInformation(
     `Available commands: ${chalk.cyan("setup")}, ${chalk.cyan(
-      "teardown"
-    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("help")}, ${chalk.cyan(
-      "--version"
-    )}`
+      "teardown",
+    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("ultimate")}, ${chalk.cyan("help")}, ${chalk.cyan(
+      "--version",
+    )}`,
   );
   ui.emptyLine();
   ui.writeInformation(
     `- ${chalk.cyan(
-      "safe-chain setup"
-    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun, bunx, pip and pip3.`
+      "safe-chain setup",
+    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun, bunx, pip and pip3.`,
   );
   ui.writeInformation(
     `- ${chalk.cyan(
-      "safe-chain teardown"
-    )}: This will remove safe-chain aliases from your shell configuration.`
+      "safe-chain teardown",
+    )}: This will remove safe-chain aliases from your shell configuration.`,
   );
   ui.writeInformation(
     `- ${chalk.cyan(
-      "safe-chain setup-ci"
-    )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
+      "safe-chain setup-ci",
+    )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`,
   );
   ui.writeInformation(
     `- ${chalk.cyan("safe-chain --version")} (or ${chalk.cyan(
-      "-v"
-    )}): Display the current version of safe-chain.`
+      "-v",
+    )}): Display the current version of safe-chain.`,
+  );
+  ui.emptyLine();
+  ui.writeInformation(chalk.bold("Ultimate commands:"));
+  ui.emptyLine();
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain ultimate",
+    )}: Install the ultimate version of safe-chain, enabling protection for more eco-systems.`,
+  );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain ultimate troubleshooting-logs",
+    )}: Prints standard and error logs for safe-chain ultimate and it's proxy.`,
+  );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain ultimate troubleshooting-export",
+    )}: Creates a zip archive of useful data for troubleshooting safe-chain ultimate, that can be shared with our support team.`,
+  );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain ultimate uninstall",
+    )}: Uninstall the ultimate version of safe-chain.`,
   );
   ui.emptyLine();
 }

package/docs/troubleshooting.md

@@ -149,6 +149,37 @@ Should include `~/.safe-chain/bin`
 
 **If persists:** Re-run the installation script
 
+### PowerShell Execution Policy Blocks Scripts (Windows)
+
+**Symptom:** When opening PowerShell, you see an error like:
+
+```
+. : File C:\Users\<username>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded because
+running scripts is disabled on this system.
+CategoryInfo          : SecurityError: (:) [], PSSecurityException
+FullyQualifiedErrorId : UnauthorizedAccess
+```
+
+**Cause:** Windows PowerShell's default execution policy (`Restricted`) blocks all script execution, including safe-chain's initialization script that's sourced from your PowerShell profile.
+
+**Resolution:**
+
+1. **Set the execution policy to allow local scripts:**
+
+   Open PowerShell as Administrator and run:
+
+   ```powershell
+   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
+   ```
+
+   This allows:
+   - Local scripts (like safe-chain's) to run without signing
+   - Downloaded scripts to run only if signed by a trusted publisher
+
+2. **Restart PowerShell** and verify the error is resolved.
+
+> **Note:** `RemoteSigned` is Microsoft's recommended execution policy for client computers. It provides a good balance between security and usability.
+
 ### Shell Aliases Persist After Uninstallation
 
 **Symptom:** safe-chain commands still active after running uninstall script
@@ -277,22 +308,6 @@ Look for and remove:
 rm -rf ~/.safe-chain
 ```
 
-## Getting More Information
-
-### Enable Verbose Logging
-
-Get detailed diagnostic output using a CLI flag or environment variable:
-
-```bash
-# Using CLI flag
-npm install express --safe-chain-logging=verbose
-pip install requests --safe-chain-logging=verbose
-
-# Using environment variable (applies to all commands)
-export SAFE_CHAIN_LOGGING=verbose
-npm install express
-```
-
 ### Report Issues
 
 If you encounter problems:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -38,6 +38,7 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, or pip/pip3 from downloading or running the malware.",
   "dependencies": {
+    "archiver": "^7.0.1",
     "certifi": "14.5.15",
     "chalk": "5.4.1",
     "https-proxy-agent": "7.0.6",
@@ -48,6 +49,7 @@
     "semver": "7.7.2"
   },
   "devDependencies": {
+    "@types/archiver": "^7.0.0",
     "@types/ini": "^4.1.1",
     "@types/make-fetch-happen": "^10.0.4",
     "@types/node": "^18.19.130",

package/src/installation/downloadAgent.js

@@ -0,0 +1,125 @@
+import { createWriteStream, createReadStream } from "fs";
+import { createHash } from "crypto";
+import { pipeline } from "stream/promises";
+import fetch from "make-fetch-happen";
+
+const ULTIMATE_VERSION = "v1.0.0";
+
+export const DOWNLOAD_URLS = {
+  win32: {
+    x64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-amd64.msi`,
+      checksum:
+        "sha256:c6a36f9b8e55ab6b7e8742cbabc4469d85809237c0f5e6c21af20b36c416ee1d",
+    },
+    arm64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-arm64.msi`,
+      checksum:
+        "sha256:46acd1af6a9938ea194c8ee8b34ca9b47c8de22e088a0791f3c0751dd6239c90",
+    },
+  },
+  darwin: {
+    x64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-amd64.pkg`,
+      checksum:
+        "sha256:bb1829e8ca422e885baf37bef08dcbe7df7a30f248e2e89c4071564f7d4f3396",
+    },
+    arm64: {
+      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-arm64.pkg`,
+      checksum:
+        "sha256:7fe4a785709911cc366d8224b4c290677573b8c4833bd9054768299e55c5f0ed",
+    },
+  },
+};
+
+/**
+ * Builds the download URL for the SafeChain Agent installer.
+ * @param {string} fileName
+ */
+export function getAgentDownloadUrl(fileName) {
+  return `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/${fileName}`;
+}
+
+/**
+ * Downloads a file from a URL to a local path.
+ * @param {string} url
+ * @param {string} destPath
+ */
+export async function downloadFile(url, destPath) {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Download failed: ${response.statusText}`);
+  }
+  await pipeline(response.body, createWriteStream(destPath));
+}
+
+/**
+ * Returns the current agent version.
+ */
+export function getAgentVersion() {
+  return ULTIMATE_VERSION;
+}
+
+/**
+ * Returns download info (url, checksum) for the current OS and architecture.
+ * @returns {{ url: string, checksum: string } | null}
+ */
+export function getDownloadInfoForCurrentPlatform() {
+  const platform = process.platform;
+  const arch = process.arch;
+
+  if (!Object.hasOwn(DOWNLOAD_URLS, platform)) {
+    return null;
+  }
+  const platformUrls =
+    DOWNLOAD_URLS[/** @type {keyof typeof DOWNLOAD_URLS} */ (platform)];
+
+  if (!Object.hasOwn(platformUrls, arch)) {
+    return null;
+  }
+
+  return platformUrls[/** @type {keyof typeof platformUrls} */ (arch)];
+}
+
+/**
+ * Verifies the checksum of a file.
+ * @param {string} filePath
+ * @param {string} expectedChecksum - Format: "algorithm:hash" (e.g., "sha256:abc123...")
+ * @returns {Promise<boolean>}
+ */
+export async function verifyChecksum(filePath, expectedChecksum) {
+  const [algorithm, expected] = expectedChecksum.split(":");
+
+  const hash = createHash(algorithm);
+
+  if (filePath.includes("..")) throw new Error("Invalid file path");
+  const stream = createReadStream(filePath);
+
+  for await (const chunk of stream) {
+    hash.update(chunk);
+  }
+
+  const actual = hash.digest("hex");
+  return actual === expected;
+}
+
+/**
+ * Downloads the SafeChain agent for the current OS/arch and verifies its checksum.
+ * @param {string} fileName - Destination file path
+ * @returns {Promise<string | null>} The file path if successful, null if no download URL for current platform
+ */
+export async function downloadAgentToFile(fileName) {
+  const info = getDownloadInfoForCurrentPlatform();
+  if (!info) {
+    return null;
+  }
+
+  await downloadFile(info.url, fileName);
+
+  const isValid = await verifyChecksum(fileName, info.checksum);
+  if (!isValid) {
+    throw new Error("Checksum verification failed");
+  }
+
+  return fileName;
+}

package/src/installation/installOnMacOS.js

@@ -0,0 +1,155 @@
+import { tmpdir } from "os";
+import { unlinkSync } from "fs";
+import { join } from "path";
+import { execSync, spawnSync } from "child_process";
+import { ui } from "../environment/userInteraction.js";
+import { printVerboseAndSafeSpawn } from "../utils/safeSpawn.js";
+import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
+import chalk from "chalk";
+
+const MACOS_PKG_IDENTIFIER = "com.aikidosecurity.safechainultimate";
+
+/**
+ * Checks if root privileges are available and displays error message if not.
+ * @param {string} command - The sudo command to show in the error message
+ * @returns {boolean} True if running as root, false otherwise.
+ */
+function requireRootPrivileges(command) {
+  if (isRunningAsRoot()) {
+    return true;
+  }
+
+  ui.writeError("Root privileges required.");
+  ui.writeInformation("Please run this command with sudo:");
+  ui.writeInformation(`  ${command}`);
+  return false;
+}
+
+function isRunningAsRoot() {
+  const rootUserUid = 0;
+  return process.getuid?.() === rootUserUid;
+}
+
+export async function installOnMacOS() {
+  if (!requireRootPrivileges("sudo safe-chain ultimate")) {
+    return;
+  }
+
+  const pkgPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.pkg`);
+
+  ui.emptyLine();
+  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
+  ui.writeVerbose(`Destination: ${pkgPath}`);
+
+  const result = await downloadAgentToFile(pkgPath);
+  if (!result) {
+    ui.writeError("No download available for this platform/architecture.");
+    return;
+  }
+
+  try {
+    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
+    await runPkgInstaller(pkgPath);
+
+    ui.emptyLine();
+    ui.writeInformation(
+      "✅ SafeChain Ultimate installed and started successfully!",
+    );
+    ui.emptyLine();
+    ui.writeInformation(
+      chalk.cyan("🔐 ") +
+        chalk.bold("ACTION REQUIRED: ") +
+        "macOS will show a popup to install our certificate.",
+    );
+    ui.writeInformation(
+      "   " +
+        chalk.bold("Please accept the certificate") +
+        " to complete the installation.",
+    );
+    ui.emptyLine();
+  } finally {
+    ui.writeVerbose(`Cleaning up temporary file: ${pkgPath}`);
+    cleanup(pkgPath);
+  }
+}
+
+const MACOS_UNINSTALL_SCRIPT =
+  "/Library/Application\\ Support/AikidoSecurity/SafeChainUltimate/scripts/uninstall";
+
+export async function uninstallOnMacOS() {
+  if (!requireRootPrivileges("sudo safe-chain ultimate uninstall")) {
+    return;
+  }
+
+  ui.emptyLine();
+
+  if (!isPackageInstalled()) {
+    ui.writeInformation("SafeChain Ultimate is not installed.");
+    return;
+  }
+
+  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
+  ui.writeVerbose(`Running: ${MACOS_UNINSTALL_SCRIPT}`);
+
+  const result = spawnSync(MACOS_UNINSTALL_SCRIPT, {
+    stdio: "inherit",
+    shell: true,
+  });
+
+  if (result.status !== 0) {
+    ui.writeError(
+      `Uninstall script failed (exit code: ${result.status}). Please try again or remove manually.`,
+    );
+    return;
+  }
+
+  ui.emptyLine();
+  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
+  ui.emptyLine();
+}
+
+function isPackageInstalled() {
+  try {
+    const output = execSync(`pkgutil --pkg-info ${MACOS_PKG_IDENTIFIER}`, {
+      encoding: "utf8",
+      stdio: "pipe",
+    });
+    return output.includes(MACOS_PKG_IDENTIFIER);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * @param {string} pkgPath
+ */
+async function runPkgInstaller(pkgPath) {
+  // Uses installer to install the package (https://ss64.com/mac/installer.html)
+  // Options:
+  //  -pkg (required):    The package to be installed.
+  //  -target (required): The target volume is specified with the -target parameter.
+  //                       --> "-target /" installs to the current boot volume.
+
+  const result = await printVerboseAndSafeSpawn(
+    "installer",
+    ["-pkg", pkgPath, "-target", "/"],
+    {
+      stdio: "inherit",
+    },
+  );
+
+  if (result.status !== 0) {
+    throw new Error(`PKG installer failed (exit code: ${result.status})`);
+  }
+}
+
+/**
+ * @param {string} pkgPath
+ */
+function cleanup(pkgPath) {
+  try {
+    unlinkSync(pkgPath);
+  } catch {
+    ui.writeVerbose("Failed to clean up temporary installer file.");
+  }
+}