milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add extra check

Browse source
This commit is contained in:
Reinier Criel 2026-03-19 15:58:42 -07:00
parent cddcec9ba5
commit 2f4268f1af
10 changed files with 298 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

26
packages/safe-chain/src/registryProxy/interceptors/npm/npmInterceptor.js
View file

@ -1,15 +1,18 @@
import {
getNpmCustomRegistries,
getNpmMinimumPackageAgeExclusions,
skipMinimumPackageAge,
} from "../../../config/settings.js";
import { isMalwarePackage } from "../../../scanning/audit/index.js";
import { interceptRequests } from "../interceptorBuilder.js";
import {
isPackageInfoUrl,
matchesExclusionPattern,
modifyNpmInfoRequestHeaders,
modifyNpmInfoResponse,
} from "./modifyNpmInfo.js";
import { parseNpmPackageUrl } from "./parseNpmPackageUrl.js";
import { openNewPackagesDatabase } from "../../../scanning/newPackagesDatabase.js";
const knownJsRegistries = [
"registry.npmjs.org",
@ -46,11 +49,34 @@ function buildNpmInterceptor(registry) {
if (await isMalwarePackage(packageName, version)) {
reqContext.blockMalware(packageName, version);
return;
}
if (!skipMinimumPackageAge() && isPackageInfoUrl(reqContext.targetUrl)) {
reqContext.modifyRequestHeaders(modifyNpmInfoRequestHeaders);
reqContext.modifyBody(modifyNpmInfoResponse);
return;
}
// For tarball requests the metadata check above is skipped, so we check the
// new packages list as a fallback (covers e.g. frozen-lockfile installs).
if (!skipMinimumPackageAge() && packageName && version) {
const exclusions = getNpmMinimumPackageAgeExclusions();
const isExcluded = exclusions.some((pattern) =>
matchesExclusionPattern(packageName, pattern)
);
if (!isExcluded) {
const newPackagesDatabase = await openNewPackagesDatabase();
if (newPackagesDatabase.isNewlyReleasedPackage(packageName, version)) {
reqContext.blockMinimumAgeRequest(
packageName,
version,
`Forbidden - blocked by safe-chain minimum package age (${packageName}@${version})`
);
}
}
}
});
}