npm - @aikidosec/safe-chain - Versions diffs - 1.4.3 → 1.4.7 - Mend

@aikidosec/safe-chain 1.4.3 → 1.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/README.md +65 -8
package/bin/safe-chain.js +1 -81
package/package.json +1 -1
package/src/api/aikido.js +93 -18
package/src/config/cliArguments.js +24 -1
package/src/config/configFile.js +64 -6
package/src/config/environmentVariables.js +13 -2
package/src/config/settings.js +53 -4
package/src/main.js +6 -2
package/src/packagemanager/_shared/commandErrors.js +17 -0
package/src/packagemanager/bun/createBunPackageManager.js +2 -7
package/src/packagemanager/npm/runNpmCommand.js +2 -7
package/src/packagemanager/npx/runNpxCommand.js +2 -7
package/src/packagemanager/pip/runPipCommand.js +2 -7
package/src/packagemanager/pipx/runPipXCommand.js +2 -7
package/src/packagemanager/pnpm/runPnpmCommand.js +3 -7
package/src/packagemanager/poetry/createPoetryPackageManager.js +2 -7
package/src/packagemanager/uv/runUvCommand.js +2 -7
package/src/packagemanager/yarn/runYarnCommand.js +2 -7
package/src/registryProxy/certBundle.js +25 -3
package/src/registryProxy/http-utils.js +63 -0
package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js +1 -1
package/src/registryProxy/interceptors/interceptorBuilder.js +37 -4
package/src/registryProxy/interceptors/minimumPackageAgeExclusions.js +33 -0
package/src/registryProxy/interceptors/npm/modifyNpmInfo.js +18 -41
package/src/registryProxy/interceptors/npm/npmInterceptor.js +47 -2
package/src/registryProxy/interceptors/npm/parseNpmPackageUrl.js +20 -3
package/src/registryProxy/interceptors/pip/modifyPipInfo.js +167 -0
package/src/registryProxy/interceptors/pip/modifyPipJsonResponse.js +176 -0
package/src/registryProxy/interceptors/pip/parsePipPackageUrl.js +162 -0
package/src/registryProxy/interceptors/pip/pipInterceptor.js +122 -0
package/src/registryProxy/interceptors/pip/pipMetadataResponseUtils.js +27 -0
package/src/registryProxy/interceptors/pip/pipMetadataVersionUtils.js +131 -0
package/src/registryProxy/interceptors/suppressedVersionsState.js +21 -0
package/src/registryProxy/mitmRequestHandler.js +12 -6
package/src/registryProxy/registryProxy.js +72 -9
package/src/scanning/newPackagesDatabaseBuilder.js +71 -0
package/src/scanning/newPackagesDatabaseWarnings.js +17 -0
package/src/scanning/newPackagesListCache.js +126 -0
package/src/scanning/packageNameVariants.js +29 -0
package/src/shell-integration/setup.js +7 -3
package/src/shell-integration/shellDetection.js +2 -0
package/src/shell-integration/supported-shells/bash.js +19 -1
package/src/shell-integration/supported-shells/fish.js +18 -0
package/src/shell-integration/supported-shells/powershell.js +18 -0
package/src/shell-integration/supported-shells/windowsPowershell.js +18 -0
package/src/shell-integration/supported-shells/zsh.js +19 -1
package/src/shell-integration/teardown.js +7 -1
package/src/ultimate/ultimateTroubleshooting.js +1 -1
package/src/installation/downloadAgent.js +0 -125
package/src/installation/installOnMacOS.js +0 -155
package/src/installation/installOnWindows.js +0 -203
package/src/installation/installUltimate.js +0 -35
package/src/registryProxy/interceptors/pipInterceptor.js +0 -132

package/src/registryProxy/interceptors/pipInterceptor.js DELETED Viewed

@@ -1,132 +0,0 @@
-import { getPipCustomRegistries } from "../../config/settings.js";
-import { isMalwarePackage } from "../../scanning/audit/index.js";
-import { interceptRequests } from "./interceptorBuilder.js";
-const knownPipRegistries = [
-  "files.pythonhosted.org",
-  "pypi.org",
-  "pypi.python.org",
-  "pythonhosted.org",
-];
-/**
- * @param {string} url
- * @returns {import("./interceptorBuilder.js").Interceptor | undefined}
- */
-export function pipInterceptorForUrl(url) {
-  const customRegistries = getPipCustomRegistries();
-  const registries = [...knownPipRegistries, ...customRegistries];
-  const registry = registries.find((reg) => url.includes(reg));
-  if (registry) {
-    return buildPipInterceptor(registry);
-  }
-  return undefined;
-}
-/**
- * @param {string} registry
- * @returns {import("./interceptorBuilder.js").Interceptor | undefined}
- */
-function buildPipInterceptor(registry) {
-  return interceptRequests(async (reqContext) => {
-    const { packageName, version } = parsePipPackageFromUrl(
-      reqContext.targetUrl,
-      registry
-    );
-    // Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names.
-    // Per python, packages that differ only by hyphen vs underscore are considered the same.
-    const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName;
-    const isMalicious =
-       await isMalwarePackage(packageName, version)
-    || await isMalwarePackage(hyphenName, version);
-    if (isMalicious) {
-      reqContext.blockMalware(packageName, version);
-    }
-  });
-}
-/**
- * @param {string} url
- * @param {string} registry
- * @returns {{packageName: string | undefined, version: string | undefined}}
- */
-function parsePipPackageFromUrl(url, registry) {
-  let packageName, version;
-  // Basic validation
-  if (!registry || typeof url !== "string") {
-    return { packageName, version };
-  }
-  // Quick sanity check on the URL + parse
-  let urlObj;
-  try {
-    urlObj = new URL(url);
-  } catch {
-    return { packageName, version };
-  }
-  // Get the last path segment (filename) and decode it (strip query & fragment automatically)
-  const lastSegment = urlObj.pathname.split("/").filter(Boolean).pop();
-  if (!lastSegment) {
-    return { packageName, version };
-  }
-  const filename = decodeURIComponent(lastSegment);
-  // Parse Python package downloads from PyPI/pythonhosted.org
-  // Example wheel: https://files.pythonhosted.org/packages/xx/yy/requests-2.28.1-py3-none-any.whl
-  // Example sdist: https://files.pythonhosted.org/packages/xx/yy/requests-2.28.1.tar.gz
-  // Wheel (.whl) and Poetry's preflight metadata (.whl.metadata)
-  // Examples:
-  //   foo_bar-2.0.0-py3-none-any.whl
-  //   foo_bar-2.0.0-py3-none-any.whl.metadata
-  const wheelExtRe = /\.whl(?:\.metadata)?$/;
-  const wheelExtMatch = filename.match(wheelExtRe);
-  if (wheelExtMatch) {
-    const base = filename.replace(wheelExtRe, "");
-    const firstDash = base.indexOf("-");
-    if (firstDash > 0) {
-      const dist = base.slice(0, firstDash); // may contain underscores
-      const rest = base.slice(firstDash + 1); // version + the rest of tags
-      const secondDash = rest.indexOf("-");
-      const rawVersion = secondDash >= 0 ? rest.slice(0, secondDash) : rest;
-      packageName = dist;
-      version = rawVersion;
-      // Reject "latest" as it's a placeholder, not a real version
-      // When version is "latest", this signals the URL doesn't contain actual version info
-      // Returning undefined allows the request (see registryProxy.js isAllowedUrl)
-      if (version === "latest" || !packageName || !version) {
-        return { packageName: undefined, version: undefined };
-      }
-      return { packageName, version };
-    }
-  }
-  // Source dist (sdist) and potential metadata sidecars (e.g., .tar.gz.metadata)
-  const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i;
-  const sdistExtMatch = filename.match(sdistExtWithMetadataRe);
-  if (sdistExtMatch) {
-    const base = filename.replace(sdistExtWithMetadataRe, "");
-    const lastDash = base.lastIndexOf("-");
-    if (lastDash > 0 && lastDash < base.length - 1) {
-      packageName = base.slice(0, lastDash);
-      version = base.slice(lastDash + 1);
-      // Reject "latest" as it's a placeholder, not a real version
-      // When version is "latest", this signals the URL doesn't contain actual version info
-      // Returning undefined allows the request (see registryProxy.js isAllowedUrl)
-      if (version === "latest" || !packageName || !version) {
-        return { packageName: undefined, version: undefined };
-      }
-      return { packageName, version };
-    }
-  }
-  // Unknown file type or invalid
-  return { packageName: undefined, version: undefined };
-}