milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Only allow wildcards for scoped packages (@scope/*)

Browse source
This commit is contained in:
Sander Declerck 2026-01-15 15:13:00 +01:00
parent 884cb6e026
commit 6c814ff82f
No known key found for this signature in database
3 changed files with 4 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -214,16 +214,16 @@ You can set the minimum package age through multiple sources (in order of priori
### Excluding Packages ### Excluding Packages
Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Supports wildcard patterns with trailing `*`: Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Use `@scope/*` to trust all packages from an organization:
```shell ```shell
export SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*,react-*,lodash" export SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*"
``` ```
```json ```json
{ {
"npm": { "npm": {
"minimumPackageAgeExclusions": ["@aikidosec/*", "react-*", "lodash"] "minimumPackageAgeExclusions": ["@aikidosec/*"]
} }
} }
``` ```

2
packages/safe-chain/src/registryProxy/interceptors/npm/modifyNpmInfo.js
View file

@ -196,7 +196,7 @@ export function getHasSuppressedVersions() {
* @returns {boolean} * @returns {boolean}
*/ */
function matchesExclusionPattern(packageName, pattern) { function matchesExclusionPattern(packageName, pattern) {
if (pattern.endsWith("*")) { if (pattern.endsWith("/*")) {
return packageName.startsWith(pattern.slice(0, -1)); return packageName.startsWith(pattern.slice(0, -1));
} }
return packageName === pattern; return packageName === pattern;

26
packages/safe-chain/src/registryProxy/interceptors/npm/npmInterceptor.minPackageAge.spec.js
View file

@ -509,32 +509,6 @@ describe("npmInterceptor minimum package age", async () => {
assert.ok(Object.keys(modifiedJson.versions).includes("2.0.0")); assert.ok(Object.keys(modifiedJson.versions).includes("2.0.0"));
}); });
it("Should exclude packages matching wildcard pattern prefix-*", async () => {
minimumPackageAgeSettings = 5;
skipMinimumPackageAgeSetting = false;
minimumPackageAgeExclusionsSetting = ["react-*"];
const packageUrl = "https://registry.npmjs.org/react-dom";
const originalBody = JSON.stringify({
name: "react-dom",
["dist-tags"]: { latest: "18.0.0" },
versions: { ["17.0.0"]: {}, ["18.0.0"]: {} },
time: {
created: getDate(-365 * 24),
modified: getDate(-1),
["17.0.0"]: getDate(-100),
["18.0.0"]: getDate(-1), // Would normally be filtered
},
});
const modifiedBody = await runModifyNpmInfoRequest(packageUrl, originalBody);
const modifiedJson = JSON.parse(modifiedBody);
// All versions should remain since react-* matches react-dom
assert.equal(Object.keys(modifiedJson.versions).length, 2);
});
it("Should NOT exclude packages that don't match wildcard pattern", async () => { it("Should NOT exclude packages that don't match wildcard pattern", async () => {
minimumPackageAgeSettings = 5; minimumPackageAgeSettings = 5;
skipMinimumPackageAgeSetting = false; skipMinimumPackageAgeSetting = false;