milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some small tweaks

Browse source
This commit is contained in:
Reinier Criel 2025-12-04 13:13:39 -08:00
parent 73a0cdf547
commit 70fd3d719b
3 changed files with 33 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

20
package-lock.json generated
View file

@ -11,7 +11,11 @@
"packages/*", "packages/*",
"test/e2e" "test/e2e"
], ],
"dependencies": {
"proxy-from-env": "^1.1.0"
},
"devDependencies": { "devDependencies": {
"@types/proxy-from-env": "^1.0.4",
"@yao-pkg/pkg": "6.10.1", "@yao-pkg/pkg": "6.10.1",
"esbuild": "^0.27.0", "esbuild": "^0.27.0",
"oxlint": "^1.22.0" "oxlint": "^1.22.0"
@ -822,6 +826,16 @@
"@types/node": "*" "@types/node": "*"
} }
}, },
"node_modules/@types/proxy-from-env": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@types/proxy-from-env/-/proxy-from-env-1.0.4.tgz",
"integrity": "sha512-TPR9/bCZAr3V1eHN4G3LD3OLicdJjqX1QRXWuNcCYgE66f/K8jO2ZRtHxI2D9MbnuUP6+qiKSS8eUHp6TFHGCw==",
"dev": true,
"license": "MIT",
"dependencies": {
"@types/node": "*"
}
},
"node_modules/@types/retry": { "node_modules/@types/retry": {
"version": "0.12.5", "version": "0.12.5",
"resolved": "https://registry.npmjs.org/@types/retry/-/retry-0.12.5.tgz", "resolved": "https://registry.npmjs.org/@types/retry/-/retry-0.12.5.tgz",
@ -2542,6 +2556,12 @@
"node": ">=10" "node": ">=10"
} }
}, },
"node_modules/proxy-from-env": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
"integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
"license": "MIT"
},
"node_modules/pump": { "node_modules/pump": {
"version": "3.0.3", "version": "3.0.3",
"resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz", "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz",

8
package.json
View file

@ -19,8 +19,12 @@
"author": "Aikido Security", "author": "Aikido Security",
"license": "AGPL-3.0-or-later", "license": "AGPL-3.0-or-later",
"devDependencies": { "devDependencies": {
"oxlint": "^1.22.0", "@types/proxy-from-env": "^1.0.4",
"@yao-pkg/pkg": "6.10.1",
"esbuild": "^0.27.0", "esbuild": "^0.27.0",
"@yao-pkg/pkg": "6.10.1" "oxlint": "^1.22.0"
},
"dependencies": {
"proxy-from-env": "^1.1.0"
} }
} }

52
packages/safe-chain/src/registryProxy/tunnelRequestHandler.js
View file

@ -1,4 +1,5 @@
import * as net from "net"; import * as net from "net";
import { getProxyForUrl } from "proxy-from-env";
import { ui } from "../environment/userInteraction.js"; import { ui } from "../environment/userInteraction.js";
/** /**
@ -9,21 +10,13 @@ import { ui } from "../environment/userInteraction.js";
* @returns {void} * @returns {void}
*/ */
export function tunnelRequest(req, clientSocket, head) { export function tunnelRequest(req, clientSocket, head) {
const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy; // req.url in a CONNECT request is usually "hostname:port"
const noProxy = process.env.NO_PROXY || process.env.no_proxy; // We assume HTTPS for CONNECT requests to ensure we check HTTPS_PROXY
const proxyUrl = getProxyForUrl(`https://${req.url}`);
if (httpsProxy && !shouldBypassProxy(req.url, noProxy)) { if (proxyUrl) {
// If an HTTPS proxy is set, tunnel the request via the proxy // If a proxy is returned, it means we should use it (NO_PROXY check passed)
// This is the system proxy, not the safe-chain proxy tunnelRequestViaProxy(req, clientSocket, head, proxyUrl);
// The package manager will run via the safe-chain proxy
// The safe-chain proxy will then send the request to the system proxy
// Typical flow: package manager -> safe-chain proxy -> system proxy -> destination
// There are 2 processes involved in this:
// 1. Safe-chain process: has HTTPS_PROXY set to system proxy
// 2. Package manager process: has HTTPS_PROXY set to safe-chain proxy
tunnelRequestViaProxy(req, clientSocket, head, httpsProxy);
} else { } else {
tunnelRequestToDestination(req, clientSocket, head); tunnelRequestToDestination(req, clientSocket, head);
} }
@ -156,35 +149,4 @@ function tunnelRequestViaProxy(req, clientSocket, head, proxyUrl) {
}); });
} }
/**
* @param {string | undefined} url
* @param {string | undefined} noProxy
* @returns {boolean}
*/
function shouldBypassProxy(url, noProxy) {
if (!url || !noProxy) {
return false;
}
if (noProxy === "*") {
return true;
}
try {
const { hostname } = new URL(`http://${url}`);
const noProxyList = noProxy.split(",").map((s) => s.trim().toLowerCase());
return noProxyList.some((noProxyItem) => {
if (!noProxyItem) return false;
if (noProxyItem === hostname) return true;
// Handle domain matching (e.g. .example.com matches sub.example.com)
if (noProxyItem.startsWith(".") && hostname.endsWith(noProxyItem))
return true;
// Handle implicit domain matching (e.g. example.com matches sub.example.com)
if (hostname.endsWith(`.${noProxyItem}`)) return true;
return false;
});
} catch {
return false;
}
}