mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
more cleanup
This commit is contained in:
Reinier Criel
parent
fbb7e0f95f
commit
982da4aa77
4 changed files with 6 additions and 29 deletions
|
|
@ -11,8 +11,6 @@ let targetVersionMajor;
|
||||||
// Copy argv so we can mutate while parsing
|
// Copy argv so we can mutate while parsing
|
||||||
const argv = process.argv.slice(2);
|
const argv = process.argv.slice(2);
|
||||||
|
|
||||||
console.log("** aikido-pip ** Original arguments:", process.argv.slice(2));
|
|
||||||
|
|
||||||
for (let i = 0; i < argv.length; i++) {
|
for (let i = 0; i < argv.length; i++) {
|
||||||
const a = argv[i];
|
const a = argv[i];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@ export function createPipPackageManager(command = "pip") {
|
||||||
|
|
||||||
async function runPipCommand(command, args) {
|
async function runPipCommand(command, args) {
|
||||||
try {
|
try {
|
||||||
console.log("**createPipPackageManager.js** Running pip command");
|
|
||||||
const result = await safeSpawn(command, args, {
|
const result = await safeSpawn(command, args, {
|
||||||
stdio: "inherit",
|
stdio: "inherit",
|
||||||
env: mergeSafeChainProxyEnvironmentVariables(process.env),
|
env: mergeSafeChainProxyEnvironmentVariables(process.env),
|
||||||
|
|
|
||||||
|
|
@ -1,40 +1,30 @@
|
||||||
import { parse } from "semver";
|
import { parse } from "semver";
|
||||||
|
|
||||||
export const knownNpmRegistries = ["registry.npmjs.org"];
|
export const knownJsRegistries = ["registry.npmjs.org","registry.yarnpkg.com"];
|
||||||
export const knownYarnRegistries = ["registry.yarnpkg.com"];
|
|
||||||
export const knownPipRegistries = ["files.pythonhosted.org", "pypi.org", "pypi.python.org", "pythonhosted.org"];
|
export const knownPipRegistries = ["files.pythonhosted.org", "pypi.org", "pypi.python.org", "pythonhosted.org"];
|
||||||
|
|
||||||
export function parsePackageFromUrl(url) {
|
export function parsePackageFromUrl(url) {
|
||||||
let registry;
|
let registry;
|
||||||
|
|
||||||
for (const knownRegistry of knownNpmRegistries) {
|
for (const knownRegistry of knownJsRegistries) {
|
||||||
if (url.includes(knownRegistry)) {
|
if (url.includes(knownRegistry)) {
|
||||||
registry = knownRegistry;
|
registry = knownRegistry;
|
||||||
return parseNpmYarnPackageFromUrl(url, registry);
|
return parseJsPackageFromUrl(url, registry);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (const knownRegistry of knownPipRegistries) {
|
for (const knownRegistry of knownPipRegistries) {
|
||||||
console.log("**parsePackageFromUrl.js** Checking pip registry:", knownRegistry);
|
|
||||||
if (url.includes(knownRegistry)) {
|
if (url.includes(knownRegistry)) {
|
||||||
console.log("**parsePackageFromUrl.js** Matched pip registry:", knownRegistry);
|
|
||||||
registry = knownRegistry;
|
registry = knownRegistry;
|
||||||
return parsePipPackageFromUrl(url, registry);
|
return parsePipPackageFromUrl(url, registry);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (const knownRegistry of knownYarnRegistries) {
|
|
||||||
if (url.includes(knownRegistry)) {
|
|
||||||
registry = knownRegistry;
|
|
||||||
return parseNpmYarnPackageFromUrl(url, registry);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// If no known registry matched, return { packageName: undefined, version: undefined }
|
// If no known registry matched, return { packageName: undefined, version: undefined }
|
||||||
return { packageName: undefined, version: undefined };
|
return { packageName: undefined, version: undefined };
|
||||||
}
|
}
|
||||||
|
|
||||||
function parseNpmYarnPackageFromUrl(url, registry) {
|
function parseJsPackageFromUrl(url, registry) {
|
||||||
let packageName, version;
|
let packageName, version;
|
||||||
if (!registry || !url.endsWith(".tgz")) {
|
if (!registry || !url.endsWith(".tgz")) {
|
||||||
return { packageName, version };
|
return { packageName, version };
|
||||||
|
|
@ -70,7 +60,6 @@ function parseNpmYarnPackageFromUrl(url, registry) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
console.log("**parsePackageFromUrl.js** Parsed package:", { packageName, version });
|
|
||||||
return { packageName, version };
|
return { packageName, version };
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -79,7 +68,6 @@ function parsePipPackageFromUrl(url, registry) {
|
||||||
|
|
||||||
// Basic validation
|
// Basic validation
|
||||||
if (!registry || typeof url !== "string") {
|
if (!registry || typeof url !== "string") {
|
||||||
console.log("**parsePackageFromUrl.js** Invalid registry or URL");
|
|
||||||
return { packageName, version};
|
return { packageName, version};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -88,14 +76,12 @@ function parsePipPackageFromUrl(url, registry) {
|
||||||
try {
|
try {
|
||||||
u = new URL(url);
|
u = new URL(url);
|
||||||
} catch {
|
} catch {
|
||||||
console.log("**parsePackageFromUrl.js** Malformed URL:", url);
|
|
||||||
return { packageName, version};
|
return { packageName, version};
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the last path segment (filename) and decode it (strip query & fragment automatically)
|
// Get the last path segment (filename) and decode it (strip query & fragment automatically)
|
||||||
const lastSegment = u.pathname.split("/").filter(Boolean).pop();
|
const lastSegment = u.pathname.split("/").filter(Boolean).pop();
|
||||||
if (!lastSegment){
|
if (!lastSegment){
|
||||||
console.log("**parsePackageFromUrl.js** No filename in URL path:", url);
|
|
||||||
return { packageName, version};
|
return { packageName, version};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -115,7 +101,6 @@ function parsePipPackageFromUrl(url, registry) {
|
||||||
if (version === "latest" || !packageName || !version) {
|
if (version === "latest" || !packageName || !version) {
|
||||||
return { packageName: undefined, version: undefined };
|
return { packageName: undefined, version: undefined };
|
||||||
}
|
}
|
||||||
console.log("**parsePackageFromUrl.js** Parsed package:", { packageName, version });
|
|
||||||
return { packageName, version };
|
return { packageName, version };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -131,12 +116,10 @@ function parsePipPackageFromUrl(url, registry) {
|
||||||
if (version === "latest" || !packageName || !version) {
|
if (version === "latest" || !packageName || !version) {
|
||||||
return { packageName: undefined, version: undefined };
|
return { packageName: undefined, version: undefined };
|
||||||
}
|
}
|
||||||
console.log("**parsePackageFromUrl.js** Parsed package:", { packageName, version });
|
|
||||||
return { packageName, version };
|
return { packageName, version };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Unknown file type or invalid
|
// Unknown file type or invalid
|
||||||
console.log("**parsePackageFromUrl.js** Unknown file type for URL:", url);
|
|
||||||
return { packageName: undefined, version: undefined };
|
return { packageName: undefined, version: undefined };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ import { mitmConnect } from "./mitmRequestHandler.js";
|
||||||
import { handleHttpProxyRequest } from "./plainHttpProxy.js";
|
import { handleHttpProxyRequest } from "./plainHttpProxy.js";
|
||||||
import { getCaCertPath } from "./certUtils.js";
|
import { getCaCertPath } from "./certUtils.js";
|
||||||
import { auditChanges } from "../scanning/audit/index.js";
|
import { auditChanges } from "../scanning/audit/index.js";
|
||||||
import { knownNpmRegistries, knownYarnRegistries, knownPipRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
|
import { knownJsRegistries, knownPipRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
|
||||||
import { ui } from "../environment/userInteraction.js";
|
import { ui } from "../environment/userInteraction.js";
|
||||||
import chalk from "chalk";
|
import chalk from "chalk";
|
||||||
|
|
||||||
|
|
@ -109,8 +109,7 @@ function handleConnect(req, clientSocket, head) {
|
||||||
// It establishes a tunnel to the server identified by the request URL
|
// It establishes a tunnel to the server identified by the request URL
|
||||||
|
|
||||||
console.log("**registryProxy.js** Handling CONNECT request for:", req.url);
|
console.log("**registryProxy.js** Handling CONNECT request for:", req.url);
|
||||||
if ((knownNpmRegistries.some((reg) => req.url.includes(reg)))
|
if ((knownJsRegistries.some((reg) => req.url.includes(reg)))
|
||||||
|| (knownYarnRegistries.some((reg) => req.url.includes(reg)))
|
|
||||||
|| (knownPipRegistries.some((reg) => req.url.includes(reg)))) {
|
|| (knownPipRegistries.some((reg) => req.url.includes(reg)))) {
|
||||||
mitmConnect(req, clientSocket, isAllowedUrl);
|
mitmConnect(req, clientSocket, isAllowedUrl);
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -125,7 +124,6 @@ async function isAllowedUrl(url) {
|
||||||
// packageName and version are undefined when the URL is not a package download
|
// packageName and version are undefined when the URL is not a package download
|
||||||
// In that case, we can allow the request to proceed
|
// In that case, we can allow the request to proceed
|
||||||
if (!packageName || !version) {
|
if (!packageName || !version) {
|
||||||
console.log("**registryProxy.js** Non-package URL, allowing:", url);
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -134,7 +132,6 @@ async function isAllowedUrl(url) {
|
||||||
]);
|
]);
|
||||||
|
|
||||||
if (!auditResult.isAllowed) {
|
if (!auditResult.isAllowed) {
|
||||||
console.log("**registryProxy.js** Blocking malicious package:", { packageName, version, url });
|
|
||||||
state.blockedRequests.push({ packageName, version, url });
|
state.blockedRequests.push({ packageName, version, url });
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue