milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Do not add list of trusted hosts, is security risk

Browse source
This commit is contained in:
Reinier Criel 2025-11-11 14:28:31 -08:00
parent 9b102412af
commit 6a94271a10
1 changed files with 1 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/safe-chain/src/packagemanager/pip/runPipCommand.js
View file

@ -25,18 +25,13 @@ export async function runPip(command, args) {
env.SSL_CERT_FILE = combinedCaPath;
// To counter behavior that is sometimes seen where pip ignores REQUESTS_CA_BUNDLE/SSL_CERT_FILE,
// 1. Set additional env vars for pip
// 2. Create a pip config file that specifies the cert and trusted hosts
// We will set additional env vars for pip
env.PIP_CERT = combinedCaPath;
// Create a temporary pip config file
const tmpDir = os.tmpdir();
const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`);
// Trusted hosts: use knownPipRegistries from parsePackageFromUrl
const trustedHosts = Array.from(new Set(knownPipRegistries));
// Proxy settings
const httpProxy = env.HTTP_PROXY || '';
const httpsProxy = env.HTTPS_PROXY || '';
@ -46,7 +41,6 @@ export async function runPip(command, args) {
pipConfig += `cert = ${combinedCaPath}\n`;
if (httpProxy) pipConfig += `proxy = ${httpProxy}\n`;
if (httpsProxy) pipConfig += `proxy = ${httpsProxy}\n`;
if (trustedHosts.length) pipConfig += `trusted-host = ${trustedHosts.join(' ')}\n`;
await fs.writeFile(pipConfigPath, pipConfig);
env.PIP_CONFIG_FILE = pipConfigPath;