@aikidosec/safe-chain 1.5.1 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +6 -0
  2. package/npm-shrinkwrap.json +1 -1
  3. package/package.json +1 -1
  4. package/src/registryProxy/registryProxy.js +6 -3
package/README.md CHANGED
@@ -290,6 +290,12 @@ You can set custom registries through environment variable or config file. Both
290
290
  }
291
291
  ```
292
292
 
293
+ ## PYPI Configuration File
294
+
295
+ If you rely on a `pip.conf` file for pip configuration you must point pip at it explicitly via the `PIP_CONFIG_FILE` environment variable so Safe Chain can merge it.
296
+
297
+ Safe Chain runs pip behind its MITM proxy and writes a temporary pip configuration file to inject its certificate and proxy settings. When `PIP_CONFIG_FILE` is set, Safe Chain merges its settings into a copy of your file (your original file is never modified) so your `index-url`, credentials, and other options are preserved. When `PIP_CONFIG_FILE` is not set, pip's user-level config (e.g. `~/.config/pip/pip.conf`) might be overridden by Safe Chain's temporary file and your settings will not be picked up.
298
+
293
299
  ## Malware List Base URL
294
300
 
295
301
  Configure Safe Chain to fetch malware databases and new packages lists from a custom mirror URL. This allows you to host your own copy of the Aikido malware database.
package/npm-shrinkwrap.json CHANGED
@@ -3112,7 +3112,7 @@
3112
3112
  },
3113
3113
  "packages/safe-chain": {
3114
3114
  "name": "@aikidosec/safe-chain",
3115
- "version": "1.5.1",
3115
+ "version": "1.5.2",
3116
3116
  "license": "AGPL-3.0-or-later",
3117
3117
  "dependencies": {
3118
3118
  "certifi": "14.5.15",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aikidosec/safe-chain",
3
- "version": "1.5.1",
3
+ "version": "1.5.2",
4
4
  "scripts": {
5
5
  "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
6
6
  "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
package/src/registryProxy/registryProxy.js CHANGED
@@ -42,7 +42,7 @@ function getSafeChainProxyEnvironmentVariables() {
42
42
  return {};
43
43
  }
44
44
 
45
- const proxyUrl = `http://localhost:${state.port}`;
45
+ const proxyUrl = `http://127.0.0.1:${state.port}`;
46
46
  const caCertPath = getCombinedCaBundlePath();
47
47
 
48
48
  return {
@@ -95,8 +95,11 @@ function createProxyServer() {
95
95
  */
96
96
  function startServer(server) {
97
97
  return new Promise((resolve, reject) => {
98
- // Passing port 0 makes the OS assign an available port
99
- server.listen(0, () => {
98
+ // Bind to loopback only. Without an explicit host, Node listens on every
99
+ // interface, turning the proxy into an unauthenticated forward proxy that
100
+ // anyone reachable on the network can use to hit the victim's localhost,
101
+ // intranet, or cloud metadata endpoints. Port 0 lets the OS pick a port.
102
+ server.listen(0, "127.0.0.1", () => {
100
103
  const address = server.address();
101
104
  if (address && typeof address === "object") {
102
105
  state.port = address.port;