Merge branch 'main' into rama-integration-beta

2026-05-26 12:10:49 +00:00 · 2026-05-04 12:40:20 +02:00 · 2026-05-04 12:40:20 +02:00 · 64a825f43a
commit 64a825f43a
parent c5d6413795 bf2bf24343
130 changed files with 6144 additions and 2494 deletions
--- a/install-scripts/install-safe-chain.sh
+++ b/install-scripts/install-safe-chain.sh
@ -6,9 +6,53 @@

 set -e  # Exit on error

+# Validates a user-provided install dir and exits on unsafe values.
+# Rejects relative paths, root paths, PATH separators, and traversal segments.
+validate_install_dir() {
+    dir="$1"
+
+    if [ -z "$dir" ]; then
+        return 0
+    fi
+
+    case "$dir" in
+        /*) ;;
+        *)
+            printf '[ERROR] --install-dir must be an absolute path, got: %s\n' "$dir" >&2
+            exit 1
+            ;;
+    esac
+
+    case "$dir" in
+        *:*)
+            printf '[ERROR] --install-dir must not contain the PATH separator (:)\n' >&2
+            exit 1
+            ;;
+    esac
+
+    if [ "$dir" = "/" ]; then
+        printf '[ERROR] --install-dir cannot be a root or drive-root directory\n' >&2
+        exit 1
+    fi
+
+    old_ifs=$IFS
+    IFS='/'
+    set -- $dir
+    IFS=$old_ifs
+
+    for segment in "$@"; do
+        if [ "$segment" = ".." ]; then
+            printf '[ERROR] --install-dir must not contain path traversal segments\n' >&2
+            exit 1
+        fi
+    done
+}
+
 # Configuration
 VERSION="${SAFE_CHAIN_VERSION:-}"  # Will be fetched from latest release if not set
-INSTALL_DIR="${HOME}/.safe-chain/bin"
+SAFE_CHAIN_BASE="${HOME}/.safe-chain"
+
+INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
 REPO_URL="https://github.com/AikidoSec/safe-chain"

 # Colors for output
@ -126,6 +170,75 @@ download() {
    fi
 }

+# Prints the deprecation warning for SAFE_CHAIN_VERSION and the replacement install command.
+# Returns immediately when no version was pinned through the environment.
+warn_deprecated_version_env() {
+    if [ -z "$SAFE_CHAIN_VERSION" ]; then
+        return
+    fi
+
+    warn "SAFE_CHAIN_VERSION environment variable is deprecated."
+    warn ""
+    warn "Please use direct download URLs for version pinning instead:"
+    warn ""
+    if [ "$USE_CI_SETUP" = "true" ]; then
+        warn "  curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh -s -- --ci"
+    else
+        warn "  curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh"
+    fi
+    warn ""
+}
+
+# Ensures VERSION is populated before installation continues.
+# Fetches the latest release only when no explicit version was provided.
+ensure_version() {
+    if [ -n "$VERSION" ]; then
+        return
+    fi
+
+    info "Fetching latest release version..."
+    VERSION=$(fetch_latest_version)
+}
+
+# Constructs platform-specific binary filename to match GitHub release asset naming convention.
+get_binary_name() {
+    os="$1"
+    arch="$2"
+
+    if [ "$os" = "win" ]; then
+        printf 'safe-chain-%s-%s.exe\n' "$os" "$arch"
+    else
+        printf 'safe-chain-%s-%s\n' "$os" "$arch"
+    fi
+}
+
+# Returns the final installation path for the downloaded safe-chain binary.
+# Uses INSTALL_DIR and the platform-specific executable name.
+get_final_binary_path() {
+    os="$1"
+
+    if [ "$os" = "win" ]; then
+        printf '%s/safe-chain.exe\n' "$INSTALL_DIR"
+    else
+        printf '%s/safe-chain\n' "$INSTALL_DIR"
+    fi
+}
+
+run_setup_command() {
+    final_file="$1"
+
+    setup_cmd="setup"
+    if [ "$USE_CI_SETUP" = "true" ]; then
+        setup_cmd="setup-ci"
+    fi
+
+    info "Running safe-chain $setup_cmd..."
+    if ! "$final_file" "$setup_cmd"; then
+        warn "safe-chain was installed but setup encountered issues."
+        warn "You can run 'safe-chain $setup_cmd' manually later."
+    fi
+}
+
 # Check and uninstall npm global package if present
 remove_npm_installation() {
    if ! command_exists npm; then
@ -229,11 +342,27 @@ remove_nvm_installation() {

 # Parse command-line arguments
 parse_arguments() {
-    for arg in "$@"; do
-        case "$arg" in
+    while [ $# -gt 0 ]; do
+        case "$1" in
            --ci)
                USE_CI_SETUP=true
                ;;
+            --install-dir)
+                shift
+                if [ $# -eq 0 ]; then
+                    error "Missing value for --install-dir"
+                fi
+                if [ -z "$1" ]; then
+                    error "--install-dir must not be empty"
+                fi
+                SAFE_CHAIN_BASE="$1"
+                ;;
+            --install-dir=*)
+                SAFE_CHAIN_BASE="${1#--install-dir=}"
+                if [ -z "$SAFE_CHAIN_BASE" ]; then
+                    error "--install-dir must not be empty"
+                fi
+                ;;
            --include-python)
                warn "--include-python is deprecated and ignored. Python ecosystem is now included by default."
                ;;
@ -241,10 +370,14 @@ parse_arguments() {
                USE_RAMA_PROXY=true
                ;;
            *)
-                error "Unknown argument: $arg"
+                error "Unknown argument: $1"
                ;;
        esac
+        shift
    done
+
+    validate_install_dir "${SAFE_CHAIN_BASE}"
+    INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
 }

 # Main installation
@ -256,25 +389,9 @@ main() {
    # Parse command-line arguments
    parse_arguments "$@"

-    # Show deprecation warning if SAFE_CHAIN_VERSION is set
-    if [ -n "$SAFE_CHAIN_VERSION" ]; then
-        warn "SAFE_CHAIN_VERSION environment variable is deprecated."
-        warn ""
-        warn "Please use direct download URLs for version pinning instead:"
-        warn ""
-        if [ "$USE_CI_SETUP" = "true" ]; then
-            warn "  curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh -s -- --ci"
-        else
-            warn "  curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh"
-        fi
-        warn ""
-    fi
+    warn_deprecated_version_env

-    # Fetch latest version if VERSION is not set
-    if [ -z "$VERSION" ]; then
-        info "Fetching latest release version..."
-        VERSION=$(fetch_latest_version)
-    fi
+    ensure_version

    # Check if the requested version is already installed
    if is_version_installed "$VERSION"; then
@ -298,11 +415,7 @@ main() {
    # Detect platform
    OS=$(detect_os)
    ARCH=$(detect_arch)
-    if [ "$OS" = "win" ]; then
-        BINARY_NAME="safe-chain-${OS}-${ARCH}.exe"
-    else
-        BINARY_NAME="safe-chain-${OS}-${ARCH}"
-    fi
+    BINARY_NAME=$(get_binary_name "$OS" "$ARCH")

    info "Detected platform: ${OS}-${ARCH}"

@ -320,11 +433,7 @@ main() {
    download "$DOWNLOAD_URL" "$TEMP_FILE"

    # Rename and make executable
-    if [ "$OS" = "win" ]; then
-        FINAL_FILE="${INSTALL_DIR}/safe-chain.exe"
-    else
-        FINAL_FILE="${INSTALL_DIR}/safe-chain"
-    fi
+    FINAL_FILE=$(get_final_binary_path "$OS")
    mv "$TEMP_FILE" "$FINAL_FILE" || error "Failed to move binary to $FINAL_FILE"
    if [ "$OS" != "win" ]; then
        chmod +x "$FINAL_FILE" || error "Failed to make binary executable"
@ -359,20 +468,7 @@ main() {
        fi
    fi

-    # Build setup command based on arguments
-    SETUP_CMD="setup"
-    SETUP_ARGS=""
-
-    if [ "$USE_CI_SETUP" = "true" ]; then
-        SETUP_CMD="setup-ci"
-    fi
-
-    # Execute safe-chain setup
-    info "Running safe-chain $SETUP_CMD $SETUP_ARGS..."
-    if ! "$FINAL_FILE" $SETUP_CMD $SETUP_ARGS; then
-        warn "safe-chain was installed but setup encountered issues."
-        warn "You can run 'safe-chain $SETUP_CMD $SETUP_ARGS' manually later."
-    fi
+    run_setup_command "$FINAL_FILE"
 }

 main "$@"