@aikidosec/safe-chain 1.4.4 → 1.4.8

package/src/registryProxy/interceptors/pip/pipMetadataVersionUtils.js

@@ -0,0 +1,131 @@
+import { parsePipPackageFromUrl } from "./parsePipPackageUrl.js";
+
+/**
+ * @param {any} file
+ * @param {string} metadataUrl
+ * @returns {string | undefined}
+ */
+export function getPackageVersionFromMetadataFile(file, metadataUrl) {
+  const href = typeof file?.url === "string" ? file.url : undefined;
+  const filename = typeof file?.filename === "string" ? file.filename : undefined;
+
+  if (href) {
+    const resolvedHref = new URL(href, metadataUrl).toString();
+    return parsePipPackageFromUrl(
+      resolvedHref,
+      new URL(resolvedHref).host
+    ).version;
+  }
+
+  if (filename) {
+    return parsePipPackageFromUrl(
+      new URL(filename, metadataUrl).toString(),
+      new URL(metadataUrl).host
+    ).version;
+  }
+
+  return undefined;
+}
+
+/**
+ * @param {any} json
+ * @param {string} metadataUrl
+ * @returns {string[]}
+ */
+export function getAvailableVersionsFromJson(json, metadataUrl) {
+  if (json.releases && typeof json.releases === "object") {
+    return Object.keys(json.releases);
+  }
+
+  if (!Array.isArray(json.files)) {
+    return [];
+  }
+
+  return [
+    ...new Set(
+      json.files
+        .map((/** @type {any} */ file) =>
+          getPackageVersionFromMetadataFile(file, metadataUrl)
+        )
+        .filter(isDefinedString)
+    ),
+  ];
+}
+
+/**
+ * @param {string | undefined} value
+ * @returns {value is string}
+ */
+function isDefinedString(value) {
+  return typeof value === "string";
+}
+
+/**
+ * @param {string[]} versions
+ * @returns {string | undefined}
+ */
+export function calculateLatestVersion(versions) {
+  const stableVersions = versions.filter((version) => !isPrerelease(version));
+  if (stableVersions.length > 0) {
+    return stableVersions.sort(comparePep440ishVersions).at(-1);
+  }
+
+  return versions.sort(comparePep440ishVersions).at(-1);
+}
+
+/**
+ * @param {string} left
+ * @param {string} right
+ * @returns {number}
+ */
+function comparePep440ishVersions(left, right) {
+  const leftParts = tokenizeVersion(left);
+  const rightParts = tokenizeVersion(right);
+  const maxLength = Math.max(leftParts.length, rightParts.length);
+
+  for (let index = 0; index < maxLength; index += 1) {
+    const leftPart = leftParts[index];
+    const rightPart = rightParts[index];
+
+    if (leftPart === undefined) return -1;
+    if (rightPart === undefined) return 1;
+
+    if (leftPart === rightPart) {
+      continue;
+    }
+
+    const leftNumeric = typeof leftPart === "number";
+    const rightNumeric = typeof rightPart === "number";
+
+    if (leftNumeric && rightNumeric) {
+      return leftPart - rightPart;
+    }
+
+    if (leftNumeric) return 1;
+    if (rightNumeric) return -1;
+
+    return String(leftPart).localeCompare(String(rightPart));
+  }
+
+  return 0;
+}
+
+/**
+ * @param {string} version
+ * @returns {(string | number)[]}
+ */
+function tokenizeVersion(version) {
+  return version
+    .toLowerCase()
+    .split(/[^a-z0-9]+/)
+    .flatMap((part) => part.match(/[a-z]+|\d+/g) || [])
+    .map((part) => (/^\d+$/.test(part) ? Number(part) : part));
+}
+
+/**
+ * @param {string} version
+ * @returns {boolean}
+ */
+function isPrerelease(version) {
+  return /(a|b|rc|dev)\d+/i.test(version);
+}

package/src/registryProxy/interceptors/suppressedVersionsState.js

@@ -0,0 +1,21 @@
+const state = {
+  hasSuppressedVersions: false,
+};
+
+/**
+ * Tracks whether any rewritten metadata response suppressed versions during the
+ * current process lifetime. This is intentional shared state used only for the
+ * end-of-run summary message exposed through the proxy API.
+ *
+ * @returns {void}
+ */
+export function recordSuppressedVersion() {
+  state.hasSuppressedVersions = true;
+}
+
+/**
+ * @returns {boolean}
+ */
+export function getHasSuppressedVersions() {
+  return state.hasSuppressedVersions;
+}

package/src/registryProxy/mitmRequestHandler.js

@@ -2,7 +2,8 @@ import https from "https";
 import { generateCertForHost } from "./certUtils.js";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { ui } from "../environment/userInteraction.js";
-import { gunzipSync, gzipSync } from "zlib";
+import { gunzipSync } from "zlib";
+import { omitHeaders } from "./http-utils.js";
 
 /**
  * @typedef {import("./interceptors/interceptorBuilder.js").Interceptor} Interceptor
@@ -215,11 +216,16 @@ function createProxyRequest(hostname, port, req, res, requestHandler) {
 
         buffer = requestHandler.modifyBody(buffer, headers);
 
-        if (proxyRes.headers["content-encoding"] === "gzip") {
-          buffer = gzipSync(buffer);
-        }
-
-        res.writeHead(statusCode, headers);
+        // For rewritten responses, send the final body uncompressed.
+        // This avoids mismatches between upstream compression metadata and the
+        // rewritten payload on the wire.
+        const rewrittenHeaders = omitHeaders(
+          headers,
+          ["content-length", "transfer-encoding", "content-encoding"],
+          { caseInsensitive: true }
+        ) || {};
+        rewrittenHeaders["content-length"] = String(buffer.byteLength);
+        res.writeHead(statusCode, rewrittenHeaders);
         res.end(buffer);
       });
     } else {

package/src/registryProxy/registryProxy.js

@@ -2,19 +2,24 @@ import * as http from "http";
 import { tunnelRequest } from "./tunnelRequestHandler.js";
 import { mitmConnect } from "./mitmRequestHandler.js";
 import { handleHttpProxyRequest } from "./plainHttpProxy.js";
-import { getCombinedCaBundlePath } from "./certBundle.js";
+import { getCombinedCaBundlePath, cleanupCertBundle } from "./certBundle.js";
 import { ui } from "../environment/userInteraction.js";
 import chalk from "chalk";
 import { createInterceptorForUrl } from "./interceptors/createInterceptorForEcoSystem.js";
-import { getHasSuppressedVersions } from "./interceptors/npm/modifyNpmInfo.js";
+import { getHasSuppressedVersions } from "./interceptors/suppressedVersionsState.js";
 
 const SERVER_STOP_TIMEOUT_MS = 1000;
 /**
- * @type {{port: number | null, blockedRequests: {packageName: string, version: string, url: string}[]}}
+ * @type {{
+ *   port: number | null,
+ *   blockedRequests: {packageName: string, version: string, url: string}[],
+ *   blockedMinimumAgeRequests: {packageName: string, version: string, url: string}[]
+ * }}
  */
 const state = {
   port: null,
   blockedRequests: [],
+  blockedMinimumAgeRequests: [],
 };
 
 export function createSafeChainProxy() {
@@ -23,7 +28,8 @@ export function createSafeChainProxy() {
   return {
     startServer: () => startServer(server),
     stopServer: () => stopServer(server),
-    verifyNoMaliciousPackages,
+    hasBlockedMaliciousPackages,
+    hasBlockedMinimumAgeRequests,
     hasSuppressedVersions: getHasSuppressedVersions,
   };
 }
@@ -115,12 +121,16 @@ function stopServer(server) {
   return new Promise((resolve) => {
     try {
       server.close(() => {
+        cleanupCertBundle();
         resolve();
       });
     } catch {
       resolve();
     }
-    setTimeout(() => resolve(), SERVER_STOP_TIMEOUT_MS);
+    setTimeout(() => {
+      cleanupCertBundle();
+      resolve();
+    }, SERVER_STOP_TIMEOUT_MS);
   });
 }
 
@@ -147,6 +157,18 @@ function handleConnect(req, clientSocket, head) {
         onMalwareBlocked(event.packageName, event.version, event.targetUrl);
       }
     );
+    interceptor.on(
+      "minimumAgeRequestBlocked",
+      (
+        /** @type {import("./interceptors/interceptorBuilder.js").MinimumAgeRequestBlockedEvent} */ event
+      ) => {
+        onMinimumAgeRequestBlocked(
+          event.packageName,
+          event.version,
+          event.targetUrl
+        );
+      }
+    );
 
     mitmConnect(req, clientSocket, interceptor);
   } else {
@@ -166,10 +188,19 @@ function onMalwareBlocked(packageName, version, url) {
   state.blockedRequests.push({ packageName, version, url });
 }
 
-function verifyNoMaliciousPackages() {
+/**
+ *
+ * @param {string} packageName
+ * @param {string} version
+ * @param {string} url
+ */
+function onMinimumAgeRequestBlocked(packageName, version, url) {
+  state.blockedMinimumAgeRequests.push({ packageName, version, url });
+}
+
+function hasBlockedMaliciousPackages() {
   if (state.blockedRequests.length === 0) {
-    // No malicious packages were blocked, so nothing to block
-    return true;
+    return false;
   }
 
   ui.emptyLine();
@@ -188,5 +219,37 @@ function verifyNoMaliciousPackages() {
   ui.writeExitWithoutInstallingMaliciousPackages();
   ui.emptyLine();
 
-  return false;
+  return true;
+}
+
+function hasBlockedMinimumAgeRequests() {
+  if (state.blockedMinimumAgeRequests.length === 0) {
+    return false;
+  }
+
+  ui.emptyLine();
+
+  ui.writeInformation(
+    `Safe-chain: ${chalk.bold(
+      `blocked ${state.blockedMinimumAgeRequests.length} direct package download request(s) due to minimum package age`
+    )}:`
+  );
+
+  for (const req of state.blockedMinimumAgeRequests) {
+    ui.writeInformation(` - ${req.packageName}@${req.version} (${req.url})`);
+  }
+
+  ui.writeInformation(
+    `  To disable this check, use: ${chalk.cyan(
+      "--safe-chain-skip-minimum-package-age"
+    )}`
+  );
+
+  ui.emptyLine();
+  ui.writeError(
+    "Safe-chain: Exiting without installing packages blocked by the direct download minimum package age check."
+  );
+  ui.emptyLine();
+
+  return true;
 }

package/src/scanning/newPackagesDatabaseBuilder.js

@@ -0,0 +1,71 @@
+import {
+  getMinimumPackageAgeHours,
+  getEcoSystem,
+  ECOSYSTEM_JS,
+  ECOSYSTEM_PY,
+} from "../config/settings.js";
+import { getEquivalentPackageNames } from "./packageNameVariants.js";
+
+/**
+ * @typedef {Object} NewPackagesDatabase
+ * @property {function(string | undefined, string | undefined): boolean} isNewlyReleasedPackage
+ */
+
+/**
+ * Returns the ecosystem identifier expected in upstream/core release feeds.
+ * @returns {string}
+ */
+function getCurrentFeedSource() {
+  const ecosystem = getEcoSystem();
+
+  if (ecosystem === ECOSYSTEM_JS) {
+    return "npm";
+  }
+
+  if (ecosystem === ECOSYSTEM_PY) {
+    return "pypi";
+  }
+
+  return ecosystem;
+}
+
+/**
+ * @param {import("../api/aikido.js").NewPackageEntry[]} newPackagesList
+ * @returns {NewPackagesDatabase}
+ */
+export function buildNewPackagesDatabase(newPackagesList) {
+  const ecosystem = getEcoSystem();
+
+  /**
+   * @param {string | undefined} name
+   * @param {string | undefined} version
+   * @returns {boolean}
+   */
+  function isNewlyReleasedPackage(name, version) {
+    if (!name || !version) {
+      return false;
+    }
+
+    const cutOff = new Date(
+      new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
+    );
+    const expectedSource = getCurrentFeedSource();
+    const candidateNames = getEquivalentPackageNames(name, ecosystem);
+
+    const entry = newPackagesList.find(
+      (pkg) =>
+        (!pkg.source || pkg.source.toLowerCase() === expectedSource) &&
+        candidateNames.includes(pkg.package_name) &&
+        pkg.version === version
+    );
+
+    if (!entry) {
+      return false;
+    }
+
+    const releasedOn = new Date(entry.released_on * 1000);
+    return releasedOn > cutOff;
+  }
+
+  return { isNewlyReleasedPackage };
+}

package/src/scanning/newPackagesDatabaseWarnings.js

@@ -0,0 +1,17 @@
+import { ui } from "../environment/userInteraction.js";
+
+let hasWarnedAboutUnavailableNewPackagesDatabase = false;
+
+/** @param {Error} error */
+export function warnOnceAboutUnavailableDatabase(error) {
+  if (!hasWarnedAboutUnavailableNewPackagesDatabase) {
+    ui.writeWarning(
+      `Failed to load the new packages list used for direct package download request blocking. Continuing with metadata-based minimum age checks only. ${error.message}`
+    );
+    hasWarnedAboutUnavailableNewPackagesDatabase = true;
+  }
+}
+
+export function resetWarningState() {
+  hasWarnedAboutUnavailableNewPackagesDatabase = false;
+}

package/src/scanning/newPackagesListCache.js

@@ -0,0 +1,126 @@
+import fs from "fs";
+import {
+  fetchNewPackagesList,
+  fetchNewPackagesListVersion,
+} from "../api/aikido.js";
+import {
+  getNewPackagesListPath,
+  getNewPackagesListVersionPath,
+} from "../config/configFile.js";
+import { ui } from "../environment/userInteraction.js";
+import { buildNewPackagesDatabase } from "./newPackagesDatabaseBuilder.js";
+import { warnOnceAboutUnavailableDatabase } from "./newPackagesDatabaseWarnings.js";
+
+/**
+ * @typedef {import("./newPackagesDatabaseBuilder.js").NewPackagesDatabase} NewPackagesDatabase
+ */
+
+// Shared per-process cache to avoid rebuilding the same feed-backed database on each request.
+/** @type {NewPackagesDatabase | null} */
+let cachedNewPackagesDatabase = null;
+
+/**
+ * @returns {Promise<NewPackagesDatabase>}
+ */
+export async function openNewPackagesDatabase() {
+  if (cachedNewPackagesDatabase) {
+    return cachedNewPackagesDatabase;
+  }
+
+  /** @type {import("../api/aikido.js").NewPackageEntry[]} */
+  let newPackagesList;
+
+  try {
+    newPackagesList = await getNewPackagesList();
+  } catch (/** @type {any} */ error) {
+    warnOnceAboutUnavailableDatabase(error);
+    cachedNewPackagesDatabase = { isNewlyReleasedPackage: () => false };
+    return cachedNewPackagesDatabase;
+  }
+
+  cachedNewPackagesDatabase = buildNewPackagesDatabase(newPackagesList);
+  return cachedNewPackagesDatabase;
+}
+
+/**
+ * @returns {Promise<import("../api/aikido.js").NewPackageEntry[]>}
+ */
+async function getNewPackagesList() {
+  const { newPackagesList: cachedList, version: cachedVersion } =
+    readNewPackagesListFromLocalCache();
+
+  try {
+    if (cachedList) {
+      const currentVersion = await fetchNewPackagesListVersion();
+      if (cachedVersion === currentVersion) {
+        return cachedList;
+      }
+    }
+
+    const { newPackagesList, version } = await fetchNewPackagesList();
+
+    if (version) {
+      writeNewPackagesListToLocalCache(newPackagesList, version);
+      return newPackagesList;
+    } else {
+      ui.writeWarning(
+        "The new packages list for direct package download request blocking was downloaded, but could not be cached due to a missing version."
+      );
+      return newPackagesList;
+    }
+  } catch (/** @type {any} */ error) {
+    if (cachedList) {
+      ui.writeWarning(
+        "Failed to fetch the latest new packages list for direct package download request blocking. Using cached version."
+      );
+      return cachedList;
+    }
+    throw error;
+  }
+}
+
+/**
+ * @param {import("../api/aikido.js").NewPackageEntry[]} data
+ * @param {string | number} version
+ *
+ * @returns {void}
+ */
+export function writeNewPackagesListToLocalCache(data, version) {
+  try {
+    const listPath = getNewPackagesListPath();
+    const versionPath = getNewPackagesListVersionPath();
+
+    fs.writeFileSync(listPath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write new packages list to local cache, next time the list will be fetched from the server again."
+    );
+  }
+}
+
+/**
+ * @returns {{newPackagesList: import("../api/aikido.js").NewPackageEntry[] | null, version: string | null}}
+ */
+export function readNewPackagesListFromLocalCache() {
+  try {
+    const listPath = getNewPackagesListPath();
+    if (!fs.existsSync(listPath)) {
+      return { newPackagesList: null, version: null };
+    }
+
+    const data = fs.readFileSync(listPath, "utf8");
+    const newPackagesList = JSON.parse(data);
+    const versionPath = getNewPackagesListVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return { newPackagesList, version };
+  } catch {
+    ui.writeWarning(
+      "Failed to read new packages list from local cache. Continuing without local cache."
+    );
+    return { newPackagesList: null, version: null };
+  }
+}

package/src/scanning/packageNameVariants.js

@@ -0,0 +1,29 @@
+import { ECOSYSTEM_PY } from "../config/settings.js";
+
+/**
+ * Normalises a Python package name per PEP 503: lowercase and collapse any
+ * run of `.`, `_`, or `-` into a single hyphen.
+ * @param {string} packageName
+ * @returns {string}
+ */
+export function normalizePipPackageName(packageName) {
+  return packageName.toLowerCase().replace(/[._-]+/g, "-");
+}
+
+/**
+ * @param {string} packageName
+ * @param {string} ecosystem
+ * @returns {string[]}
+ */
+export function getEquivalentPackageNames(packageName, ecosystem) {
+  if (ecosystem !== ECOSYSTEM_PY) {
+    return [packageName];
+  }
+
+  const pythonSeparatorPattern = /[._-]/g;
+  const hyphenName = packageName.replaceAll(pythonSeparatorPattern, "-");
+  const underscoreName = packageName.replaceAll(pythonSeparatorPattern, "_");
+  const dotName = packageName.replaceAll(pythonSeparatorPattern, ".");
+
+  return [...new Set([packageName, hyphenName, underscoreName, dotName])];
+}

package/src/shell-integration/setup.js

@@ -91,9 +91,7 @@ async function setupShell(shell) {
     );
   } else {
     ui.writeError(
-      `${chalk.bold("- " + shell.name + ":")} ${chalk.red(
-        "Setup failed",
-      )}. Please check your ${shell.name} configuration.`,
+      `${chalk.bold("- " + shell.name + ":")} ${chalk.red("Setup failed")}`,
     );
     if (error) {
       let message = `  Error: ${error.message}`;
@@ -102,6 +100,12 @@ async function setupShell(shell) {
       }
       ui.writeError(message);
     }
+    ui.emptyLine();
+    ui.writeInformation(`  ${chalk.bold("To set up manually:")}`);
+    for (const instruction of shell.getManualSetupInstructions()) {
+      ui.writeInformation(`    ${instruction}`);
+    }
+    ui.emptyLine();
   }
 
   return success;

package/src/shell-integration/shellDetection.js

@@ -11,6 +11,8 @@ import { ui } from "../environment/userInteraction.js";
  * @property {() => boolean} isInstalled
  * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean|Promise<boolean>} setup
  * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} teardown
+ * @property {() => string[]} getManualSetupInstructions
+ * @property {() => string[]} getManualTeardownInstructions
  */
 
 /**

package/src/shell-integration/supported-shells/bash.js

@@ -32,7 +32,7 @@ function teardown(tools) {
     );
   }
 
-  // Removes the line that sources the safe-chain bash initialization script (~/.aikido/scripts/init-posix.sh)
+  // Removes the line that sources the safe-chain bash initialization script (~/.safe-chain/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
     /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
@@ -123,6 +123,22 @@ function cygpathw(path) {
   }
 }
 
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your ~/.bashrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.bashrc`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your ~/.bashrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.bashrc`,
+  ];
+}
+
 /**
  * @type {import("../shellDetection.js").Shell}
  */
@@ -131,4 +147,6 @@ export default {
   isInstalled,
   setup,
   teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
 };

package/src/shell-integration/supported-shells/fish.js

@@ -66,6 +66,22 @@ function getStartupFile() {
   }
 }
 
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your ~/.config/fish/config.fish file:`,
+    `  source ~/.safe-chain/scripts/init-fish.fish`,
+    `Then restart your terminal or run: source ~/.config/fish/config.fish`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your ~/.config/fish/config.fish file:`,
+    `  source ~/.safe-chain/scripts/init-fish.fish`,
+    `Then restart your terminal or run: source ~/.config/fish/config.fish`,
+  ];
+}
+
 /**
  * @type {import("../shellDetection.js").Shell}
  */
@@ -74,4 +90,6 @@ export default {
   isInstalled,
   setup,
   teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
 };

package/src/shell-integration/supported-shells/powershell.js

@@ -71,6 +71,22 @@ function getStartupFile() {
   }
 }
 
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your PowerShell profile (run "echo $PROFILE" to find its location):`,
+    `  . "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"`,
+    `Then restart your terminal or run: . $PROFILE`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your PowerShell profile (run "echo $PROFILE" to find its location):`,
+    `  . "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"`,
+    `Then restart your terminal or run: . $PROFILE`,
+  ];
+}
+
 /**
  * @type {import("../shellDetection.js").Shell}
  */
@@ -79,4 +95,6 @@ export default {
   isInstalled,
   setup,
   teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
 };