@aikidosec/safe-chain 1.4.2 → 1.4.3

package/src/installation/installOnWindows.js

@@ -0,0 +1,203 @@
+import { tmpdir } from "os";
+import { unlinkSync } from "fs";
+import { join } from "path";
+import { execSync } from "child_process";
+import { ui } from "../environment/userInteraction.js";
+import { printVerboseAndSafeSpawn, safeSpawn } from "../utils/safeSpawn.js";
+import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
+
+const WINDOWS_SERVICE_NAME = "SafeChainUltimate";
+const WINDOWS_APP_NAME = "SafeChain Ultimate";
+
+export async function uninstallOnWindows() {
+  if (!(await requireAdminPrivileges())) {
+    return;
+  }
+
+  ui.emptyLine();
+
+  const productCode = getInstalledProductCode();
+  if (!productCode) {
+    ui.writeInformation("SafeChain Ultimate is not installed.");
+    return;
+  }
+
+  await stopServiceIfRunning();
+
+  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
+  await uninstallByProductCode(productCode);
+
+  ui.emptyLine();
+  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
+  ui.emptyLine();
+}
+
+export async function installOnWindows() {
+  if (!(await requireAdminPrivileges())) {
+    return;
+  }
+
+  const msiPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.msi`);
+
+  ui.emptyLine();
+  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
+  ui.writeVerbose(`Destination: ${msiPath}`);
+
+  const result = await downloadAgentToFile(msiPath);
+  if (!result) {
+    ui.writeError("No download available for this platform/architecture.");
+    return;
+  }
+
+  try {
+    ui.emptyLine();
+    await stopServiceIfRunning();
+    await uninstallIfInstalled();
+
+    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
+    await runMsiInstaller(msiPath);
+
+    ui.emptyLine();
+    ui.writeInformation(
+      "✅ SafeChain Ultimate installed and started successfully!",
+    );
+    ui.emptyLine();
+  } finally {
+    ui.writeVerbose(`Cleaning up temporary file: ${msiPath}`);
+    cleanup(msiPath);
+  }
+}
+
+/**
+ * Checks if admin privileges are available and displays error message if not.
+ * @returns {Promise<boolean>} True if running as admin, false otherwise.
+ */
+async function requireAdminPrivileges() {
+  if (await isRunningAsAdmin()) {
+    return true;
+  }
+
+  ui.writeError("Administrator privileges required.");
+  ui.writeInformation(
+    "Please run this command in an elevated terminal (Run as Administrator).",
+  );
+  return false;
+}
+
+async function isRunningAsAdmin() {
+  // Uses Windows Security API to check if current process has admin privileges.
+  // Returns "True" or "False" as a string.
+  const result = await safeSpawn(
+    "powershell",
+    [
+      "-Command",
+      "([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)",
+    ],
+    { stdio: "pipe" },
+  );
+
+  return result.status === 0 && result.stdout.trim() === "True";
+}
+
+/**
+ * Returns the MSI product code for SafeChain Ultimate, or null if not installed.
+ * @returns {string | null}
+ */
+function getInstalledProductCode() {
+  // Query Win32_Product via WMI to find the installed SafeChain Agent.
+  // If found, outputs the product GUID (e.g., "{12345678-1234-...}") needed for msiexec uninstall.
+  ui.writeVerbose(`Finding product code with PowerShell`);
+
+  let productCode;
+  try {
+    productCode = execSync(
+      `powershell -Command "$app = Get-WmiObject -Class Win32_Product -Filter \\"Name='${WINDOWS_APP_NAME}'\\"; if ($app) { Write-Output $app.IdentifyingNumber }"`,
+      { encoding: "utf8" },
+    ).trim();
+  } catch {
+    return null;
+  }
+  return productCode || null;
+}
+
+/**
+ * @param {string} productCode
+ */
+async function uninstallByProductCode(productCode) {
+  ui.writeVerbose(`Found product code: ${productCode}`);
+
+  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
+  // Options:
+  //  - /x:         Uninstalls the package.
+  //  - /qn:        Specifies there's no UI during the installation process.
+  //  - /norestart: Stops the device from restarting after the installation completes.
+  const uninstallResult = await printVerboseAndSafeSpawn(
+    "msiexec",
+    ["/x", productCode, "/qn", "/norestart"],
+    { stdio: "inherit" },
+  );
+
+  if (uninstallResult.status !== 0) {
+    throw new Error(`Uninstall failed (exit code: ${uninstallResult.status})`);
+  }
+}
+
+async function uninstallIfInstalled() {
+  const productCode = getInstalledProductCode();
+  if (!productCode) {
+    ui.writeVerbose("No existing installation found (fresh install).");
+    return;
+  }
+
+  ui.writeInformation("🗑️  Removing previous installation...");
+  await uninstallByProductCode(productCode);
+}
+
+/**
+ * @param {string} msiPath
+ */
+async function runMsiInstaller(msiPath) {
+  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
+  // Options:
+  //  - /i:  Specifies normal installation
+  //  - /qn: Specifies there's no UI during the installation process.
+
+  const result = await printVerboseAndSafeSpawn(
+    "msiexec",
+    ["/i", msiPath, "/qn"],
+    {
+      stdio: "inherit",
+    },
+  );
+
+  if (result.status !== 0) {
+    throw new Error(`MSI installer failed (exit code: ${result.status})`);
+  }
+}
+
+async function stopServiceIfRunning() {
+  ui.writeInformation("⏹️  Stopping running service...");
+
+  const result = await printVerboseAndSafeSpawn(
+    "net",
+    ["stop", WINDOWS_SERVICE_NAME],
+    {
+      stdio: "pipe",
+    },
+  );
+
+  if (result.status !== 0) {
+    ui.writeVerbose("Service not running (will start after installation).");
+  }
+}
+
+/**
+ * @param {string} msiPath
+ */
+function cleanup(msiPath) {
+  try {
+    unlinkSync(msiPath);
+  } catch {
+    ui.writeVerbose("Failed to clean up temporary installer file.");
+  }
+}

package/src/installation/installUltimate.js

@@ -0,0 +1,35 @@
+import { platform } from "os";
+import { ui } from "../environment/userInteraction.js";
+import { initializeCliArguments } from "../config/cliArguments.js";
+import { installOnWindows, uninstallOnWindows } from "./installOnWindows.js";
+import { installOnMacOS, uninstallOnMacOS } from "./installOnMacOS.js";
+
+export async function uninstallUltimate() {
+  initializeCliArguments(process.argv);
+
+  const operatingSystem = platform();
+
+  if (operatingSystem === "win32") {
+    await uninstallOnWindows();
+  } else if (operatingSystem === "darwin") {
+    await uninstallOnMacOS();
+  } else {
+    ui.writeInformation(
+      `Uninstall is not yet supported on ${operatingSystem}.`,
+    );
+  }
+}
+
+export async function installUltimate() {
+  const operatingSystem = platform();
+
+  if (operatingSystem === "win32") {
+    await installOnWindows();
+  } else if (operatingSystem === "darwin") {
+    await installOnMacOS();
+  } else {
+    ui.writeInformation(
+      `${operatingSystem} is not supported yet by SafeChain's ultimate version.`,
+    );
+  }
+}

package/src/main.js

@@ -73,20 +73,20 @@ export async function main(args) {
       ui.writeVerbose(
         `${chalk.green("✔")} Safe-chain: Scanned ${
           auditStats.totalPackages
-        } packages, no malware found.`
+        } packages, no malware found.`,
       );
     }
 
     if (proxy.hasSuppressedVersions()) {
       ui.writeInformation(
         `${chalk.yellow(
-          "ℹ"
-        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`
+          "ℹ",
+        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`,
       );
       ui.writeInformation(
         `  To disable this check, use: ${chalk.cyan(
-          "--safe-chain-skip-minimum-package-age"
-        )}`
+          "--safe-chain-skip-minimum-package-age",
+        )}`,
       );
     }
 

package/src/shell-integration/helpers.js

@@ -3,6 +3,8 @@ import * as os from "os";
 import fs from "fs";
 import path from "path";
 import { ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
+import { safeSpawn } from "../utils/safeSpawn.js";
+import { ui } from "../environment/userInteraction.js";
 
 /**
  * @typedef {Object} AikidoTool
@@ -99,7 +101,7 @@ export const knownAikidoTools = [
     aikidoCommand: "aikido-pipx",
     ecoSystem: ECOSYSTEM_PY,
     internalPackageManagerName: "pipx",
-  }
+  },
   // When adding a new tool here, also update the documentation for the new tool in the README.md
 ];
 
@@ -216,7 +218,13 @@ export function addLineToFile(filePath, line, eol) {
   eol = eol || os.EOL;
 
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const updatedContent = fileContent + eol + line + eol;
+  let updatedContent = fileContent;
+
+  if (!fileContent.endsWith(eol)) {
+    updatedContent += eol;
+  }
+
+  updatedContent += line + eol;
   fs.writeFileSync(filePath, updatedContent, "utf-8");
 }
 
@@ -237,3 +245,60 @@ function createFileIfNotExists(filePath) {
 
   fs.writeFileSync(filePath, "", "utf-8");
 }
+
+/**
+ * Checks if PowerShell execution policy allows script execution
+ * @param {string} shellExecutableName - The name of the PowerShell executable ("pwsh" or "powershell")
+ * @returns {Promise<{isValid: boolean, policy: string}>} validation result
+ */
+export async function validatePowerShellExecutionPolicy(shellExecutableName) {
+  // Security: Only allow known shell executables
+  const validShells = ["pwsh", "powershell"];
+  if (!validShells.includes(shellExecutableName)) {
+    return { isValid: false, policy: "Unknown" };
+  }
+
+  try {
+    // For Windows PowerShell (5.1), clean PSModulePath to avoid conflicts with PowerShell 7 modules
+    // When safe-chain is invoked from PowerShell 7, it sets its module paths to PSModulePath, causing
+    // Windows PowerShell to try loading incompatible PowerShell 7 modules.
+    // Setting the environment to Windows PowerShell's modules fixes this.
+    let spawnOptions;
+    if (shellExecutableName === "powershell") {
+      const userProfile = process.env.USERPROFILE || "";
+      const cleanPSModulePath = [
+        path.join(userProfile, "Documents", "WindowsPowerShell", "Modules"),
+        "C:\\Program Files\\WindowsPowerShell\\Modules",
+        "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules",
+      ].join(";");
+
+      spawnOptions = {
+        env: {
+          ...process.env,
+          PSModulePath: cleanPSModulePath,
+        },
+      };
+    } else {
+      spawnOptions = {};
+    }
+
+    const commandResult = await safeSpawn(
+      shellExecutableName,
+      ["-Command", "Get-ExecutionPolicy"],
+      spawnOptions,
+    );
+
+    const policy = commandResult.stdout.trim();
+
+    const acceptablePolicies = ["RemoteSigned", "Unrestricted", "Bypass"];
+    return {
+      isValid: acceptablePolicies.includes(policy),
+      policy: policy,
+    };
+  } catch (err) {
+    ui.writeWarning(
+      `An error happened while trying to find the current executionpolicy in powershell: ${err}`,
+    );
+    return { isValid: false, policy: "Unknown" };
+  }
+}

package/src/shell-integration/setup.js

@@ -1,7 +1,11 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import { knownAikidoTools, getPackageManagerList, getScriptsDir } from "./helpers.js";
+import {
+  knownAikidoTools,
+  getPackageManagerList,
+  getScriptsDir,
+} from "./helpers.js";
 import fs from "fs";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -26,7 +30,7 @@ if (import.meta.url) {
 export async function setup() {
   ui.writeInformation(
     chalk.bold("Setting up shell aliases.") +
-      ` This will wrap safe-chain around ${getPackageManagerList()}.`
+      ` This will wrap safe-chain around ${getPackageManagerList()}.`,
   );
   ui.emptyLine();
 
@@ -42,12 +46,12 @@ export async function setup() {
     ui.writeInformation(
       `Detected ${shells.length} supported shell(s): ${shells
         .map((shell) => chalk.bold(shell.name))
-        .join(", ")}.`
+        .join(", ")}.`,
     );
 
     let updatedCount = 0;
     for (const shell of shells) {
-      if (setupShell(shell)) {
+      if (await setupShell(shell)) {
         updatedCount++;
       }
     }
@@ -58,7 +62,7 @@ export async function setup() {
     }
   } catch (/** @type {any} */ error) {
     ui.writeError(
-      `Failed to set up shell aliases: ${error.message}. Please check your shell configuration.`
+      `Failed to set up shell aliases: ${error.message}. Please check your shell configuration.`,
     );
     return;
   }
@@ -68,12 +72,12 @@ export async function setup() {
  * Calls the setup function for the given shell and reports the result.
  * @param {import("./shellDetection.js").Shell} shell
  */
-function setupShell(shell) {
+async function setupShell(shell) {
   let success = false;
   let error;
   try {
     shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases
-    success = shell.setup(knownAikidoTools);
+    success = await shell.setup(knownAikidoTools);
   } catch (/** @type {any} */ err) {
     success = false;
     error = err;
@@ -82,14 +86,14 @@ function setupShell(shell) {
   if (success) {
     ui.writeInformation(
       `${chalk.bold("- " + shell.name + ":")} ${chalk.green(
-        "Setup successful"
-      )}`
+        "Setup successful",
+      )}`,
     );
   } else {
     ui.writeError(
       `${chalk.bold("- " + shell.name + ":")} ${chalk.red(
-        "Setup failed"
-      )}. Please check your ${shell.name} configuration.`
+        "Setup failed",
+      )}. Please check your ${shell.name} configuration.`,
     );
     if (error) {
       let message = `  Error: ${error.message}`;
@@ -115,11 +119,7 @@ function copyStartupFiles() {
     }
 
     // Use absolute path for source
-    const sourcePath = path.join(
-      dirname,
-      "startup-scripts",
-      file
-    );
+    const sourcePath = path.join(dirname, "startup-scripts", file);
     fs.copyFileSync(sourcePath, targetPath);
   }
 }

package/src/shell-integration/shellDetection.js

@@ -9,7 +9,7 @@ import { ui } from "../environment/userInteraction.js";
  * @typedef {Object} Shell
  * @property {string} name
  * @property {() => boolean} isInstalled
- * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} setup
+ * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean|Promise<boolean>} setup
  * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} teardown
  */
 
@@ -28,7 +28,7 @@ export function detectShells() {
     }
   } catch (/** @type {any} */ error) {
     ui.writeError(
-      `We were not able to detect which shells are installed on your system. Please check your shell configuration. Error: ${error.message}`
+      `We were not able to detect which shells are installed on your system. Please check your shell configuration. Error: ${error.message}`,
     );
     return [];
   }

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -71,13 +71,13 @@ end
 
 function printSafeChainWarning
     set original_cmd $argv[1]
-    
+
     # Fish equivalent of ANSI color codes: yellow background, black text for "Warning:"
     set_color -b yellow black
     printf "Warning:"
     set_color normal
     printf " safe-chain is not available to protect you from installing malware. %s will run without it.\n" $original_cmd
-    
+
     # Cyan text for the install command
     printf "Install safe-chain by using "
     set_color cyan
@@ -90,6 +90,20 @@ function wrapSafeChainCommand
     set original_cmd $argv[1]
     set cmd_args $argv[2..-1]
 
+    if not type -fq $original_cmd
+       # If the original command is not available, don't try to wrap it: invoke
+       # it transparently, so the shell can report errors as if this wrapper
+       # didn't exist. fish always adds extra debug information when executing
+       # missing commands from within a function, so after the "command not
+       # found" handler, there will be information about how the
+       # wrapSafeChainCommand function errored out. To avoid users assuming this
+       # is a safe-chain bug, display an explicit error message afterwards.
+       command $original_cmd $cmd_args
+       set oldstatus $status
+       echo "safe-chain tried to run $original_cmd but it doesn't seem to be installed in your \$PATH." >&2
+       return $oldstatus
+    end
+
     if type -q safe-chain
         # If the safe-chain command is available, just run it with the provided arguments
         safe-chain $original_cmd $cmd_args

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -76,6 +76,14 @@ function printSafeChainWarning() {
 function wrapSafeChainCommand() {
   local original_cmd="$1"
 
+  if ! type -f "${original_cmd}" > /dev/null 2>&1; then
+    # If the original command is not available, don't try to wrap it: invoke it
+    # transparently, so the shell can report errors as if this wrapper didn't
+    # exist.
+    command "$@"
+    return $?
+  fi
+
   if command -v safe-chain > /dev/null 2>&1; then
     # If the aikido command is available, just run it with the provided arguments
     safe-chain "$@"

package/src/shell-integration/supported-shells/powershell.js

@@ -2,6 +2,7 @@ import {
   addLineToFile,
   doesExecutableExistOnSystem,
   removeLinesMatchingPattern,
+  validatePowerShellExecutionPolicy,
 } from "../helpers.js";
 import { execSync } from "child_process";
 
@@ -25,25 +26,33 @@ function teardown(tools) {
     // Remove any existing alias for the tool
     removeLinesMatchingPattern(
       startupFile,
-      new RegExp(`^Set-Alias\\s+${tool}\\s+`)
+      new RegExp(`^Set-Alias\\s+${tool}\\s+`),
     );
   }
 
   // Remove the line that sources the safe-chain PowerShell initialization script
   removeLinesMatchingPattern(
     startupFile,
-    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/
+    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/,
   );
 
   return true;
 }
 
-function setup() {
+async function setup() {
+  const { isValid, policy } =
+    await validatePowerShellExecutionPolicy(executableName);
+  if (!isValid) {
+    throw new Error(
+      `PowerShell execution policy is set to '${policy}', which prevents safe-chain from running.\n  -> To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.\n     For more information, see: https://help.aikido.dev/code-scanning/aikido-malware-scanning/safe-chain-troubleshooting#powershell-execution-policy-blocks-scripts-windows`,
+    );
+  }
+
   const startupFile = getStartupFile();
 
   addLineToFile(
     startupFile,
-    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`
+    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`,
   );
 
   return true;
@@ -57,7 +66,7 @@ function getStartupFile() {
     }).trim();
   } catch (/** @type {any} */ error) {
     throw new Error(
-      `Command failed: ${startupFileCommand}. Error: ${error.message}`
+      `Command failed: ${startupFileCommand}. Error: ${error.message}`,
     );
   }
 }

package/src/shell-integration/supported-shells/windowsPowershell.js

@@ -2,6 +2,7 @@ import {
   addLineToFile,
   doesExecutableExistOnSystem,
   removeLinesMatchingPattern,
+  validatePowerShellExecutionPolicy,
 } from "../helpers.js";
 import { execSync } from "child_process";
 
@@ -25,25 +26,33 @@ function teardown(tools) {
     // Remove any existing alias for the tool
     removeLinesMatchingPattern(
       startupFile,
-      new RegExp(`^Set-Alias\\s+${tool}\\s+`)
+      new RegExp(`^Set-Alias\\s+${tool}\\s+`),
     );
   }
 
   // Remove the line that sources the safe-chain PowerShell initialization script
   removeLinesMatchingPattern(
     startupFile,
-    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/
+    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/,
   );
 
   return true;
 }
 
-function setup() {
+async function setup() {
+  const { isValid, policy } =
+    await validatePowerShellExecutionPolicy(executableName);
+  if (!isValid) {
+    throw new Error(
+      `PowerShell execution policy is set to '${policy}', which prevents safe-chain from running.\n  -> To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.\n     For more information, see: https://help.aikido.dev/code-scanning/aikido-malware-scanning/safe-chain-troubleshooting#powershell-execution-policy-blocks-scripts-windows`,
+    );
+  }
+
   const startupFile = getStartupFile();
 
   addLineToFile(
     startupFile,
-    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`
+    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`,
   );
 
   return true;
@@ -57,7 +66,7 @@ function getStartupFile() {
     }).trim();
   } catch (/** @type {any} */ error) {
     throw new Error(
-      `Command failed: ${startupFileCommand}. Error: ${error.message}`
+      `Command failed: ${startupFileCommand}. Error: ${error.message}`,
     );
   }
 }