@socketsecurity/cli 0.7.1 → 0.8.0

package/lib/shadow/npm-injection.cjs

@@ -2,18 +2,24 @@
 // THIS MUST BE CJS TO WORK WITH --require
 'use strict'
 
+const events = require('events')
 const fs = require('fs')
-const path = require('path')
 const https = require('https')
-const events = require('events')
+const path = require('path')
 const rl = require('readline')
 const { PassThrough } = require('stream')
+
+const config = require('@socketsecurity/config')
+
 const oraPromise = import('ora')
 const isInteractivePromise = import('is-interactive')
 const chalkPromise = import('chalk')
 const chalkMarkdownPromise = import('../utils/chalk-markdown.js')
 const settingsPromise = import('../utils/settings.js')
-const ipc_version = require('../../package.json').version
+const sdkPromise = import('../utils/sdk.js')
+const createTTYServer = require('./tty-server.cjs')
+const { createIssueUXLookup } = require('../utils/issue-rules.cjs')
+const { isErrnoException } = require('../utils/type-helpers.cjs')
 
 try {
   // due to update-notifier pkg being ESM only we actually spawn a subprocess sadly
@@ -33,9 +39,119 @@ try {
  * @typedef {import('stream').Writable} Writable
  */
 
-const pubTokenPromise = settingsPromise.then(({ getSetting }) =>
-  getSetting('apiKey') || 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
-);
+const pubTokenPromise = sdkPromise.then(({ getDefaultKey, FREE_API_KEY }) => getDefaultKey() || FREE_API_KEY)
+const apiKeySettingsPromise = sdkPromise.then(async ({ setupSdk }) => {
+  const sdk = await setupSdk(await pubTokenPromise)
+  const orgResult = await sdk.getOrganizations()
+  if (!orgResult.success) {
+    throw new Error('Failed to fetch Socket organization info: ' + orgResult.error.message)
+  }
+  /**
+   * @type {(Exclude<typeof orgResult.data.organizations[string], undefined>)[]}
+   */
+  const orgs = []
+  for (const org of Object.values(orgResult.data.organizations)) {
+    if (org) {
+      orgs.push(org)
+    }
+  }
+  const result = await sdk.postSettings(orgs.map(org => {
+    return {
+      organization: org.id
+    }
+  }))
+  if (!result.success) {
+    throw new Error('Failed to fetch API key settings: ' + result.error.message)
+  }
+  return {
+    orgs,
+    settings: result.data
+  }
+})
+
+/**
+ *
+ */
+async function findSocketYML () {
+  let prevDir = null
+  let dir = process.cwd()
+  const fs = require('fs/promises')
+  while (dir !== prevDir) {
+    const ymlPath = path.join(dir, 'socket.yml')
+    // mark as handled
+    const yml = fs.readFile(ymlPath, 'utf-8').catch(() => {})
+    const yamlPath = path.join(dir, 'socket.yaml')
+    // mark as handled
+    const yaml = fs.readFile(yamlPath, 'utf-8').catch(() => {})
+    try {
+      const txt = await yml
+      if (txt != null) {
+        return {
+          path: ymlPath,
+          parsed: config.parseSocketConfig(txt)
+        }
+      }
+    } catch (e) {
+      if (isErrnoException(e)) {
+        if (e.code !== 'ENOENT' && e.code !== 'EISDIR') {
+          throw e
+        }
+      } else {
+        throw new Error('Found file but was unable to parse ' + ymlPath)
+      }
+    }
+    try {
+      const txt = await yaml
+      if (txt != null) {
+        return {
+          path: yamlPath,
+          parsed: config.parseSocketConfig(txt)
+        }
+      }
+    } catch (e) {
+      if (isErrnoException(e)) {
+        if (e.code !== 'ENOENT' && e.code !== 'EISDIR') {
+          throw e
+        }
+      } else {
+        throw new Error('Found file but was unable to parse ' + yamlPath)
+      }
+    }
+    prevDir = dir
+    dir = path.join(dir, '..')
+  }
+  return null
+}
+
+/**
+ * @type {Promise<ReturnType<import('../utils/issue-rules.cjs')['createIssueUXLookup']>>}
+ */
+const uxLookupPromise = settingsPromise.then(async ({ getSetting }) => {
+  const enforcedOrgs = getSetting('enforcedOrgs') ?? []
+  const { orgs, settings } = await apiKeySettingsPromise
+
+  // remove any organizations not being enforced
+  for (const [i, org] of orgs.entries()) {
+    if (!enforcedOrgs.includes(org.id)) {
+      settings.entries.splice(i, 1)
+    }
+  }
+
+  const socketYml = await findSocketYML()
+  if (socketYml) {
+    settings.entries.push({
+      start: socketYml.path,
+      // @ts-ignore
+      settings: {
+        [socketYml.path]: {
+          deferTo: null,
+          issueRules: socketYml.parsed.issueRules
+        }
+      }
+    })
+  }
+  return createIssueUXLookup(settings)
+})
 
 // shadow `npm` and `npx` to mitigate subshells
 require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
@@ -76,6 +192,7 @@ async function * batchScan (
       }
     })
   }
+  // TODO: migrate to SDK
   const pkgDataReq = https.request(
     'https://api.socket.dev/v0/scan/batch',
     {
@@ -108,8 +225,10 @@ let translations = null
  */
 let formatter = null
 
-const ttyServerPromise = chalkPromise.then(chalk => {
-  return createTTYServer(chalk.default.level)
+const ttyServerPromise = chalkPromise.then(async (chalk) => {
+  return createTTYServer(chalk.default.level, (await isInteractivePromise).default({
+    stream: process.stdin
+  }), npmlog)
 })
 
 const npmEntrypoint = fs.realpathSync(`${process.argv[1]}`)
@@ -130,6 +249,10 @@ function findRoot (filepath) {
 const npmDir = findRoot(path.dirname(npmEntrypoint))
 const arboristLibClassPath = path.join(npmDir, 'node_modules', '@npmcli', 'arborist', 'lib', 'arborist', 'index.js')
 const npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+/**
+ * @type {import('pacote')}
+ */
+const pacote = require(path.join(npmDir, 'node_modules', 'pacote'))
 
 /**
  * @type {typeof import('@npmcli/arborist')}
@@ -178,7 +301,12 @@ class SafeArborist extends Arborist {
       return this[kRiskyReify](...args)
     }
     args[0] ??= {}
-    const old = { ...args[0] }
+    const old = {
+      dryRun: false,
+      save: Boolean(args[0].save ?? true),
+      saveBundle: Boolean(args[0].saveBundle ?? false),
+      ...args[0]
+    }
     // @ts-expect-error types are wrong
     args[0].dryRun = true
     args[0].save = false
@@ -197,7 +325,7 @@ class SafeArborist extends Arborist {
     }
     const ttyServer = await ttyServerPromise
     const proceed = await ttyServer.captureTTY(async (input, output, colorLevel) => {
-      if (input) {
+      if (input && output) {
         const chalkNS = await chalkPromise
         chalkNS.default.level = colorLevel
         const oraNS = await oraPromise
@@ -212,7 +340,7 @@ class SafeArborist extends Arborist {
             spinner: oraNS.spinners.dots,
           })
         }
-        const risky = await packagesHaveRiskyIssues(this.registry, diff, ora, input, output)
+        const risky = await packagesHaveRiskyIssues(this, this.registry, diff, ora, input, output)
         if (!risky) {
           return true
         }
@@ -244,11 +372,13 @@ class SafeArborist extends Arborist {
           rli.close()
         }
       } else {
-        if (await packagesHaveRiskyIssues(this.registry, diff, null, null, output)) {
+        if (await packagesHaveRiskyIssues(this, this.registry, diff, null, null, output)) {
           throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
         }
         return true
       }
+      // @ts-ignore paranoia
+      // eslint-disable-next-line
       return false
     })
     if (proceed) {
@@ -353,14 +483,15 @@ function walk (diff, needInfoOn = []) {
 }
 
 /**
- * @param {string} registry
+ * @param {SafeArborist} safeArb
+ * @param {string} _registry
  * @param {InstallEffect[]} pkgs
  * @param {import('ora')['default'] | null} ora
- * @param {Readable | null} input
- * @param {Writable} ora
+ * @param {Readable | null} [_input]
+ * @param {Writable | null} [output]
  * @returns {Promise<boolean>}
  */
-async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, output) {
+async function packagesHaveRiskyIssues (safeArb, _registry, pkgs, ora = null, _input, output) {
   let failed = false
   if (pkgs.length) {
     let remaining = pkgs.length
@@ -374,69 +505,81 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
     const spinner = ora ? ora().start(getText()) : null
     const pkgDatas = []
     try {
+      // TODO: determine org based on cwd, pass in
+      const uxLookup = await uxLookupPromise
+
       for await (const pkgData of batchScan(pkgs.map(pkg => pkg.pkgid))) {
+        /**
+         * @type {Array<any>}
+         */
         let failures = []
+        let displayWarning = false
+        const name = pkgData.pkg
+        const version = pkgData.ver
+        let blocked = false
         if (pkgData.type === 'missing') {
+          failed = true
           failures.push({
             type: 'missingDependency'
           })
           continue
-        }
-        for (const issue of (pkgData.value?.issues ?? [])) {
-          if ([
-            'shellScriptOverride',
-            'gitDependency',
-            'httpDependency',
-            'installScripts',
-            'malware',
-            'didYouMean',
-            'hasNativeCode',
-            'troll',
-            'telemetry',
-            'invalidPackageJSON',
-            'unresolvedRequire',
-          ].includes(issue.type)) {
-            failures.push(issue)
-          }
-        }
-        // before we ask about problematic issues, check to see if they already existed in the old version
-        // if they did, be quiet
-        if (failures.length) {
-          const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}` && pkg.existing?.startsWith(pkgData.pkg))
-          if (pkg?.existing) {
-            for await (const oldPkgData of batchScan([pkg.existing])) {
-              if (oldPkgData.type === 'success') {
-                failures = failures.filter(
-                  issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.type) == null
-                )
+        } else {
+          for (const failure of pkgData.value.issues) {
+            const ux = await uxLookup({ package: { name, version }, issue: { type: failure.type } })
+            if (ux.display || ux.block) {
+              failures.push({ raw: failure, block: ux.block })
+              // before we ask about problematic issues, check to see if they already existed in the old version
+              // if they did, be quiet
+              const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}` && pkg.existing?.startsWith(pkgData.pkg + '@'))
+              if (pkg?.existing) {
+                for await (const oldPkgData of batchScan([pkg.existing])) {
+                  if (oldPkgData.type === 'success') {
+                    failures = failures.filter(
+                      issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.raw.type) == null
+                    )
+                  }
+                }
               }
             }
+            if (ux.block) {
+              failed = true
+              blocked = true
+            }
+            if (ux.display) {
+              displayWarning = true
+            }
           }
         }
-        if (failures.length) {
-          failed = true
-          spinner?.stop()
+        if (!blocked) {
+          const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}`)
+          if (pkg) {
+            pacote.tarball.stream(pkg.pkgid, (stream) => {
+              stream.resume()
+              // @ts-ignore pacote does a naughty
+              return stream.promise()
+            }, { ...safeArb[kCtorArgs][0] })
+          }
+        }
+        if (displayWarning) {
           translations ??= JSON.parse(fs.readFileSync(path.join(__dirname, '/translations.json'), 'utf-8'))
           formatter ??= new ((await chalkMarkdownPromise).ChalkOrMarkdown)(false)
-          const name = pkgData.pkg
-          const version = pkgData.ver
-          output.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:\n`)
-          if (translations) {
-            for (const failure of failures) {
-              const type = failure.type
-              if (type) {
-                // @ts-ignore
-                const issueTypeTranslation = translations.issues[type]
-                // TODO: emoji seems to misalign terminals sometimes
-                // @ts-ignore
-                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}\n`
-                output.write(msg)
-              }
+          spinner?.stop()
+          output?.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:\n`)
+          const lines = new Set()
+          for (const failure of failures.sort((a, b) => a.raw.type < b.raw.type ? -1 : 1)) {
+            const type = failure.raw.type
+            if (type) {
+              // @ts-ignore
+              const issueTypeTranslation = translations.issues[type]
+              // TODO: emoji seems to misalign terminals sometimes
+              // @ts-ignore
+              lines.add(`  ${issueTypeTranslation?.title ?? type}${failure.block ? '' : ' (non-blocking)'} - ${issueTypeTranslation?.description ?? ''}\n`)
             }
           }
+          for (const line of lines) {
+            output?.write(line)
+          }
           spinner?.start()
-        } else {
-          // TODO: have pacote/cacache download non-problematic files while waiting
         }
         remaining--
         if (remaining !== 0) {
@@ -459,195 +602,3 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
     return false
   }
 }
-
-/**
- * @param {import('chalk')['default']['level']} colorLevel
- * @returns {Promise<{ captureTTY<RET extends any>(mutexFn: (input: Readable | null, output: Writable, colorLevel: import('chalk')['default']['level']) => Promise<RET>): Promise<RET> }>}
- */
-async function createTTYServer (colorLevel) {
-  const TTY_IPC = process.env.SOCKET_SECURITY_TTY_IPC
-  const net = require('net')
-  /**
-   * @type {import('readline')}
-   */
-  let readline
-  const isSTDINInteractive = (await isInteractivePromise).default({
-    stream: process.stdin
-  })
-  if (!isSTDINInteractive && TTY_IPC) {
-    return {
-      async captureTTY (mutexFn) {
-        return new Promise((resolve, reject) => {
-          const conn = net.createConnection({
-            path: TTY_IPC
-          }).on('error', reject)
-          let captured = false
-          const bufs = []
-          conn.on('data', function awaitCapture (chunk) {
-            bufs.push(chunk)
-            const lineBuff = Buffer.concat(bufs)
-            try {
-              if (!captured) {
-                const EOL = lineBuff.indexOf('\n'.charCodeAt(0))
-                if (EOL !== -1) {
-                  conn.removeListener('data', awaitCapture)
-                  conn.push(lineBuff.slice(EOL + 1))
-                  lineBuff = null
-                  captured = true
-                  const {
-                    ipc_version: remote_ipc_version,
-                    capabilities: { input: hasInput, output: hasOutput, colorLevel: ipcColorLevel }
-                  } = JSON.parse(lineBuff.slice(0, EOL).toString('utf-8'))
-                  if (remote_ipc_version !== ipc_version) {
-                    throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.')
-                  }
-                  const input = hasInput ? new PassThrough() : null
-                  input.pause()
-                  conn.pipe(input)
-                  const output = hasOutput ? new PassThrough() : null
-                  output.pipe(conn)
-                  // make ora happy
-                  // @ts-ignore
-                  output.isTTY = true
-                  // @ts-ignore
-                  output.cursorTo = function cursorTo (x, y, callback) {
-                    readline = readline || require('readline')
-                    readline.cursorTo(this, x, y, callback)
-                  }
-                  // @ts-ignore
-                  output.clearLine = function clearLine (dir, callback) {
-                    readline = readline || require('readline')
-                    readline.clearLine(this, dir, callback)
-                  }
-                  mutexFn(hasInput ? input : null, hasOutput ? output : null, ipcColorLevel)
-                    .then(resolve, reject)
-                    .finally(() => {
-                      conn.unref()
-                      conn.end()
-                      input.end()
-                      output.end()
-                      // process.exit(13)
-                    })
-                }
-              }
-            } catch (e) {
-              reject(e)
-            }
-          })
-        })
-      }
-    }
-  }
-  const pendingCaptures = []
-  let captured = false
-  const sock = path.join(require('os').tmpdir(), `socket-security-tty-${process.pid}.sock`)
-  process.env.SOCKET_SECURITY_TTY_IPC = sock
-  try {
-    await require('fs/promises').unlink(sock)
-  } catch (e) {
-    if (e.code !== 'ENOENT') {
-      throw e
-    }
-  }
-  process.on('exit', () => {
-    ttyServer.close()
-    try {
-      require('fs').unlinkSync(sock)
-    } catch (e) {
-      if (e.code !== 'ENOENT') {
-        throw e
-      }
-    }
-  })
-  const input = isSTDINInteractive ? process.stdin : null
-  const output = process.stderr
-  const ttyServer = await new Promise((resolve, reject) => {
-    const server = net.createServer(async (conn) => {
-      if (captured) {
-        const captured = new Promise((resolve) => {
-          pendingCaptures.push({
-            resolve
-          })
-        })
-        await captured
-      } else {
-        captured = true
-      }
-      const wasProgressEnabled = npmlog.progressEnabled
-      npmlog.pause()
-      if (wasProgressEnabled) {
-        npmlog.disableProgress()
-      }
-      conn.write(`${JSON.stringify({
-        ipc_version,
-        capabilities: {
-          input: Boolean(input),
-          output: true,
-          colorLevel
-        }
-      })}\n`)
-      conn.on('data', (data) => {
-        output.write(data)
-      })
-      conn.on('error', (e) => {
-        output.write(`there was an error prompting from a subshell (${e.message}), socket npm closing`)
-        process.exit(1)
-      })
-      input.on('data', (data) => {
-        conn.write(data)
-      })
-      input.on('end', () => {
-        conn.unref()
-        conn.end()
-        if (wasProgressEnabled) {
-          npmlog.enableProgress()
-        }
-        npmlog.resume()
-        nextCapture()
-      })
-    }).listen(sock, (err) => {
-      if (err) reject(err)
-      else resolve(server)
-    }).unref()
-  })
-  /**
-   *
-   */
-  function nextCapture () {
-    if (pendingCaptures.length > 0) {
-      const nextCapture = pendingCaptures.shift()
-      nextCapture.resolve()
-    } else {
-      captured = false
-    }
-  }
-  return {
-    async captureTTY (mutexFn) {
-      if (captured) {
-        const captured = new Promise((resolve) => {
-          pendingCaptures.push({
-            resolve
-          })
-        })
-        await captured
-      } else {
-        captured = true
-      }
-      const wasProgressEnabled = npmlog.progressEnabled
-      try {
-        npmlog.pause()
-        if (wasProgressEnabled) {
-          npmlog.disableProgress()
-        }
-        // need await here for proper finally timing
-        return await mutexFn(input, output, colorLevel)
-      } finally {
-        if (wasProgressEnabled) {
-          npmlog.enableProgress()
-        }
-        npmlog.resume()
-        nextCapture()
-      }
-    }
-  }
-}