diff --git a/packages/safe-chain/src/registryProxy/certBundle.js b/packages/safe-chain/src/registryProxy/certBundle.js index 956279d..9b0c7bf 100644 --- a/packages/safe-chain/src/registryProxy/certBundle.js +++ b/packages/safe-chain/src/registryProxy/certBundle.js @@ -6,6 +6,7 @@ import certifi from "certifi"; import tls from "node:tls"; import { X509Certificate } from "node:crypto"; import { getCaCertPath } from "./certUtils.js"; +import { ui } from "../environment/userInteraction.js"; /** * Check if a PEM string contains only parsable cert blocks. @@ -93,3 +94,68 @@ export function getCombinedCaBundlePath() { cachedPath = target; return cachedPath; } + +/** + * Read user certificate file. + * @param {string} certPath - Path to certificate file + * @returns {string | null} Certificate PEM content or null if invalid/unreadable + */ +function readUserCertificateFile(certPath) { + try { + // Validate path is a string and not attempting path traversal + if (typeof certPath !== "string" || certPath.includes("..") || certPath.startsWith("/")) { + return null; + } + + if (!fs.existsSync(certPath)) { + return null; + } + + const certPathAbsolute = path.resolve(certPath); + // Verify it's an absolute path (cross-platform) + if (!path.isAbsolute(certPathAbsolute)) { + return null; + } + + const content = fs.readFileSync(certPathAbsolute, "utf8"); + return content && isParsable(content) ? content : null; + } catch { + return null; + } +} + +/** + * Combine user's existing NODE_EXTRA_CA_CERTS with Safe Chain's CA certificate. + * If user has NODE_EXTRA_CA_CERTS set, it's merged with Safe Chain CA. + * + * @param {string | undefined} userCertPath - User's existing NODE_EXTRA_CA_CERTS path (if any) + * @returns {string} Path to the final CA bundle + */ +export function getCombinedCaBundlePathWithUserCerts(userCertPath) { + const parts = []; + + // 1) Add Safe Chain CA (for MITM'd registries) + const safeChainPath = getCaCertPath(); + try { + const safeChainPem = fs.readFileSync(safeChainPath, "utf8"); + if (isParsable(safeChainPem)) parts.push(safeChainPem.trim()); + } catch { + // Ignore if Safe Chain CA is not available + } + + // 2) Add user's certificates if provided + if (userCertPath) { + const userPem = readUserCertificateFile(userCertPath); + if (userPem) { + parts.push(userPem.trim()); + ui.writeWarning(`Safe-chain: Merging user's NODE_EXTRA_CA_CERTS from ${userCertPath}`); + } else { + ui.writeWarning(`Safe-chain: Could not read or parse user's NODE_EXTRA_CA_CERTS from ${userCertPath}`); + } + } + + const finalCombined = parts.filter(Boolean).join("\n"); + const target = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`); + fs.writeFileSync(target, finalCombined, { encoding: "utf8" }); + return target; +} diff --git a/packages/safe-chain/src/registryProxy/registryProxy.js b/packages/safe-chain/src/registryProxy/registryProxy.js index 6f11207..ae7a47e 100644 --- a/packages/safe-chain/src/registryProxy/registryProxy.js +++ b/packages/safe-chain/src/registryProxy/registryProxy.js @@ -2,7 +2,7 @@ import * as http from "http"; import { tunnelRequest } from "./tunnelRequestHandler.js"; import { mitmConnect } from "./mitmRequestHandler.js"; import { handleHttpProxyRequest } from "./plainHttpProxy.js"; -import { getCaCertPath } from "./certUtils.js"; +import { getCombinedCaBundlePathWithUserCerts } from "./certBundle.js"; import { ui } from "../environment/userInteraction.js"; import chalk from "chalk"; import { createInterceptorForUrl } from "./interceptors/createInterceptorForEcoSystem.js"; @@ -37,10 +37,13 @@ function getSafeChainProxyEnvironmentVariables() { } const proxyUrl = `http://localhost:${state.port}`; + const userNodeExtraCaCerts = process.env.NODE_EXTRA_CA_CERTS; + const caCertPath = getCombinedCaBundlePathWithUserCerts(userNodeExtraCaCerts); + return { HTTPS_PROXY: proxyUrl, GLOBAL_AGENT_HTTP_PROXY: proxyUrl, - NODE_EXTRA_CA_CERTS: getCaCertPath(), + NODE_EXTRA_CA_CERTS: caCertPath, }; }