Implement modification of request headerrs

2026-05-26 12:10:49 +00:00 · 2025-11-07 16:16:37 +01:00 · 2025-11-07 16:16:37 +01:00 · 3bf7279195
commit 3bf7279195
parent 76a1100b8c
3 changed files with 84 additions and 16 deletions
--- a/packages/safe-chain/src/registryProxy/interceptors/npmInterceptor.js
+++ b/packages/safe-chain/src/registryProxy/interceptors/npmInterceptor.js
@ -1,3 +1,4 @@
+import chalk from "chalk";
 import { isMalwarePackage } from "../../scanning/audit/index.js";
 import { createInterceptorBuilder } from "./interceptorBuilder.js";

@ -32,6 +33,15 @@ function buildNpmInterceptor(registry) {
    if (await isMalwarePackage(packageName, version)) {
      req.blockMalware(packageName, version, req.targetUrl);
    }
+
+    req.modifyRequestHeaders((headers) => {
+      if (headers["accept"]?.includes("application/vnd.npm.install-v1+json")) {
+        // The npm registry sometimes serves a more compact format that lacks
+        // the time metadata we need to filter out too new packages.
+        // Force the registry to return the full metadata by changing the Accept header.
+        headers["accept"] = "application/json";
+      }
+    });
  });

  return builder.build();
--- a/packages/safe-chain/src/registryProxy/interceptors/requestInterceptorBuilder.js
+++ b/packages/safe-chain/src/registryProxy/interceptors/requestInterceptorBuilder.js
@ -3,10 +3,13 @@
 * @property {string} targetUrl
 * @property {(statusCode: number, message: string) => void} blockRequest
 * @property {(packageName: string | undefined, version: string | undefined, url: string) => void} blockMalware
+ * @property {(modificationFunc: (headers: NodeJS.Dict<string | string[]>) => void) => void} modifyRequestHeaders
 * @property {() => RequestInterceptor} build
 *
 * @typedef {Object} RequestInterceptor
 * @property {{statusCode: number, message: string} | undefined} blockResponse
+ * @property {(headers: NodeJS.Dict<string | string[]> | undefined) => void} modifyRequestHeaders
+ * @property {() => boolean} modifiesResponse
 */

 /**
@ -18,6 +21,15 @@ export function createRequestInterceptorBuilder(targetUrl, eventEmitter) {
  /** @type {{statusCode: number, message: string} | undefined}  */
  let blockResponse = undefined;

+  /**
+   * @type {{
+   *   requestHeaders: Array<(headers: NodeJS.Dict<string | string[]>) => void>
+   * }}
+   */
+  let modificationFuncs = {
+    requestHeaders: [],
+  };
+
  /**
   * @param {number} statusCode
   * @param {string} message
@ -47,10 +59,43 @@ export function createRequestInterceptorBuilder(targetUrl, eventEmitter) {
    targetUrl,
    blockRequest,
    blockMalware,
+    modifyRequestHeaders(modificationFunc) {
+      modificationFuncs.requestHeaders.push(modificationFunc);
+    },
    build() {
-      return {
+      return createRequestInterceptor(
        blockResponse,
-      };
+        modificationFuncs.requestHeaders
+      );
    },
  };
 }
+
+/**
+ * @param {{statusCode: number, message: string} | undefined} blockResponse
+ * @param {Array<(headers: NodeJS.Dict<string | string[]>) => void>} requestHeadersModficationFuncs
+ * @returns {RequestInterceptor}
+ */
+function createRequestInterceptor(
+  blockResponse,
+  requestHeadersModficationFuncs
+) {
+  /**
+   * @param {NodeJS.Dict<string | string[]> | undefined} headers
+   */
+  function modifyRequestHeaders(headers) {
+    if (!headers) {
+      return;
+    }
+
+    for (const modificationFunc of requestHeadersModficationFuncs) {
+      modificationFunc(headers);
+    }
+  }
+
+  function modifiesResponse() {
+    return false;
+  }
+
+  return { blockResponse, modifyRequestHeaders, modifiesResponse };
+}