milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some more improvements

Browse source
This commit is contained in:
Reinier Criel 2025-12-03 09:54:25 -08:00
parent cfedb6df99
commit 11bd3a2b91
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js
View file

@ -8,6 +8,9 @@ const knownPipRegistries = [
"pythonhosted.org",
];
// Pattern for sdist extensions
const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i;
/**
* @param {string} url
* @returns {import("./interceptorBuilder.js").Interceptor | undefined}
@ -33,7 +36,8 @@ function buildPipInterceptor(registry) {
registry
);
// Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names
// Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names.
// Per python, packages that differ only by hyphen vs underscore are considered the same.
const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName;
const isMalicious = await isMalwarePackage(packageName, version)
@ -102,9 +106,9 @@ function parsePipPackageFromUrl(url, registry) {
}
// Source dist (sdist) and potential metadata sidecars (e.g., .tar.gz.metadata)
const sdistExtMatch = filename.match(/\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i);
const sdistExtMatch = filename.match(sdistExtWithMetadataRe);
if (sdistExtMatch) {
const base = filename.replace(/\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i, "");
const base = filename.replace(sdistExtWithMetadataRe, "");
const lastDash = base.lastIndexOf("-");
if (lastDash > 0 && lastDash < base.length - 1) {
packageName = base.slice(0, lastDash);