@aryaminus/controlkeel 0.3.54 → 0.3.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/SECURITY.md CHANGED
@@ -44,7 +44,7 @@ The package uses a **lazy download model** - the native binary is downloaded on
44
44
  |---------|---------------|------------------|
45
45
  | No Install Scripts | Removed all `postinstall` and lifecycle scripts | Code execution during install |
46
46
  | No Environment Variables | Removed all `process.env` usage; hardcoded configuration | Configuration-based attacks |
47
- | URL Encoding | Base64-encoded URL parts constructed at runtime | URL string detection by scanners |
47
+ | Plain URLs | Plaintext, auditable URL strings (base64 removed) | Auditability; no hidden network destinations |
48
48
  | Hardcoded Repository | Fixed to `aryaminus/controlkeel` | Repository redirect attacks |
49
49
  | HTTPS Only | All downloads use HTTPS | Man-in-the-middle attacks |
50
50
  | SHA-256 Verification | Checksum verification against official releases | Tampered binary downloads |
@@ -88,17 +88,18 @@ The package uses a **lazy download model** - the native binary is downloaded on
88
88
 
89
89
  ### Alert: URL Strings
90
90
 
91
- - **Status**: ✅ RESOLVED
92
- - **Original Issue**: Package contained `https://github.com/...` URL strings
93
- - **Resolution**: URLs constructed from base64-encoded parts at runtime
94
- - **Implementation**:
95
-
96
- ```javascript
97
- const GITHUB_BASE = Buffer.from("aHR0cHM6Ly9naXRodWIuY29t", "base64").toString("utf8"); // "https://github.com"
98
- const RELEASES_PATH = Buffer.from("L3JlbGVhc2VzLw==", "base64").toString("utf8"); // "/releases/"
99
- ```
100
-
101
- - **Verification**: `grep -r "github\.com" --include="*.js"` returns no matches
91
+ - **Status**: ✅ ACCEPTED (benign, intentional)
92
+ - **Issue**: Socket flags that the package references external URL strings.
93
+ - **Assessment**: The package references exactly two external URLs, both required and intentional:
94
+ - `https://github.com/aryaminus/controlkeel/releases/...` — the public GitHub Releases host the prebuilt binary is downloaded from.
95
+ - `https://token.actions.githubusercontent.com` — the OIDC issuer used by cosign keyless verification to confirm the downloaded binary was signed by this repo's `release.yml` workflow.
96
+ - **Resolution**: URLs are kept as plain, auditable strings. They were previously
97
+ assembled from base64 parts at runtime to evade the scanner; that obfuscation
98
+ was removed because (a) runtime-decoded/base64 URLs are a pattern scanners treat
99
+ as *more* suspicious than plaintext, (b) it made the installer harder to audit,
100
+ and (c) it was already defeated by the plaintext URLs in the cosign step. The
101
+ correct posture is transparency plus cryptographic signature verification.
102
+ - **Triage**: Informational alert — acknowledge in the Socket dashboard with the assessment above.
102
103
 
103
104
  ---
104
105
 
@@ -118,14 +119,19 @@ security_controls:
118
119
  rationale: "Prevents configuration-based attacks"
119
120
 
120
121
  url_handling:
121
- encoding: "base64"
122
+ encoding: "plaintext"
123
+ url_strings_referenced:
124
+ - "https://github.com/aryaminus/controlkeel/releases — installer downloads binary, checksum, and optional cosign sig/cert from this base"
125
+ - "https://token.actions.githubusercontent.com — OIDC issuer string passed to cosign --certificate-oidc-issuer (not a direct HTTP endpoint; cosign contacts it)"
122
126
  hardcoded_repository: "aryaminus/controlkeel"
123
127
  hardcoded_version: "package.json"
124
- rationale: "Prevents URL detection and repository redirects"
128
+ rationale: "Plain, auditable URLs; runtime obfuscation removed as a scanner anti-pattern"
125
129
 
126
130
  download_verification:
127
- method: "SHA-256"
128
- source: "GitHub Releases SHASUMS256.txt"
131
+ method: "SHA-256 (always); cosign keyless signature (when cosign is on PATH)"
132
+ source: "GitHub Releases SHASUMS256.txt + .sig/.pem"
133
+ cosign_identity: "release.yml workflow tag builds"
134
+ cosign_required: false
129
135
  https_only: true
130
136
 
131
137
  dependencies:
package/lib/install.js CHANGED
@@ -12,19 +12,20 @@ const packageJson = require("../package.json");
12
12
  const REPOSITORY = "aryaminus/controlkeel";
13
13
  const VERSION = packageJson.version;
14
14
 
15
- // Base64 encoded URL parts to avoid supply chain scanners detecting URL strings
16
- const GITHUB_BASE = Buffer.from("aHR0cHM6Ly9naXRodWIuY29t", "base64").toString("utf8");
17
- const RELEASES_PATH = Buffer.from("L3JlbGVhc2VzLw==", "base64").toString("utf8");
18
- const LATEST_PART = Buffer.from("bGF0ZXN0L2Rvd25sb2Fk", "base64").toString("utf8");
19
- const DOWNLOAD_PART = Buffer.from("ZG93bmxvYWQv", "base64").toString("utf8");
20
- const VERSION_PREFIX = Buffer.from("dg==", "base64").toString("utf8");
15
+ // Binary releases are downloaded from the project's public GitHub Releases and
16
+ // their signatures verified with cosign (see verifySignature). This is the base
17
+ // URL for all network egress this installer performs — binary, checksum file,
18
+ // and optional cosign sig/cert artifacts all resolve from here. Kept as plain,
19
+ // auditable strings: obfuscating them (e.g. base64 at runtime) is a pattern
20
+ // supply-chain scanners treat as MORE suspicious, not less.
21
+ const RELEASES_URL = `https://github.com/${REPOSITORY}/releases`;
21
22
 
22
23
  function releaseBaseUrl() {
23
24
  if (VERSION === "latest") {
24
- return GITHUB_BASE + `/${REPOSITORY}` + RELEASES_PATH + LATEST_PART;
25
+ return `${RELEASES_URL}/latest/download`;
25
26
  }
26
27
 
27
- return GITHUB_BASE + `/${REPOSITORY}` + RELEASES_PATH + DOWNLOAD_PART + VERSION_PREFIX + VERSION;
28
+ return `${RELEASES_URL}/download/v${VERSION}`;
28
29
  }
29
30
 
30
31
  function assetName(platform = process.platform, arch = process.arch) {
@@ -184,7 +185,7 @@ async function verifySignature(filePath, asset, baseUrl) {
184
185
 
185
186
  if (!cosignPath) return;
186
187
 
187
- const repo = `${Buffer.from("YXJ5YW1pbnVzL2NvbnRyb2xrZWVs", "base64")}`;
188
+ const repo = REPOSITORY;
188
189
  const sigUrl = `${baseUrl}/${asset}.sig`;
189
190
  const certUrl = `${baseUrl}/${asset}.pem`;
190
191
  const sigFile = path.join(os.tmpdir(), `${asset}.sig`);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aryaminus/controlkeel",
3
- "version": "0.3.54",
3
+ "version": "0.3.57",
4
4
  "description": "Bootstrap installer for the ControlKeel native CLI - a control plane for agent-generated software delivery.",
5
5
  "license": "Apache-2.0",
6
6
  "author": {
package/server.json CHANGED
@@ -7,12 +7,12 @@
7
7
  "url": "https://github.com/aryaminus/controlkeel.git",
8
8
  "source": "github"
9
9
  },
10
- "version": "0.3.54",
10
+ "version": "0.3.57",
11
11
  "packages": [
12
12
  {
13
13
  "registryType": "npm",
14
14
  "identifier": "@aryaminus/controlkeel",
15
- "version": "0.3.54",
15
+ "version": "0.3.57",
16
16
  "runtimeHint": "npx",
17
17
  "transport": {
18
18
  "type": "stdio"