milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some fixes

Browse source
This commit is contained in:
Reinier Criel 2025-10-24 13:47:22 -07:00
parent 6b2db6dace
commit 9914c0ccb3
5 changed files with 11 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -15,7 +15,7 @@ Aikido Safe Chain works on Node.js version 18 and above and supports the followi
- ✅ **pnpx** - ✅ **pnpx**
- ✅ **bun** - ✅ **bun**
- ✅ **bunx** - ✅ **bunx**
- ✅ **pip** (pip and pip3) - ✅ **pip**
# Usage # Usage
@ -39,7 +39,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
``` ```
- The output should show that Aikido Safe Chain is blocking the installation of this package as it is flagged as malware. - The output should show that Aikido Safe Chain is blocking the installation of this package as it is flagged as malware.
When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, or `pip` (including `pip3`) commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command. When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, or `pip` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
You can check the installed version by running: You can check the installed version by running:
```shell ```shell
@ -60,7 +60,7 @@ The Aikido Safe Chain integrates with your shell to provide a seamless experienc
More information about the shell integration can be found in the [shell integration documentation](docs/shell-integration.md). More information about the shell integration can be found in the [shell integration documentation](docs/shell-integration.md).
### Python / pip support ### Python support
- Supports `pip` and `pip3` commands. - Supports `pip` and `pip3` commands.
- Scans Python packages fetched by `pip install`, `pip download`, and `pip wheel`. - Scans Python packages fetched by `pip install`, `pip download`, and `pip wheel`.

4
packages/safe-chain/src/packagemanager/pip/createPackageManager.js
View file

@ -7,10 +7,6 @@ import {
pipWheelCommand, pipWheelCommand,
} from "./utils/pipCommands.js"; } from "./utils/pipCommands.js";
/**
* Creates a package manager
* @param {string} [command="pip"] - The pip command to use (e.g., "pip", "pip3") defaults to "pip"
*/
export function createPipPackageManager(command = "pip") { export function createPipPackageManager(command = "pip") {
function isSupportedCommand(args) { function isSupportedCommand(args) {
const scanner = findDependencyScannerForCommand( const scanner = findDependencyScannerForCommand(

5
packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.js
View file

@ -101,8 +101,7 @@ function isPipOptionWithParameter(arg) {
} }
function parsePipSpec(spec) { function parsePipSpec(spec) {
// Ignore obvious URLs and paths // Ignore obvious URLs and paths, rely on mitm scanner
// These cannot be scanned from the malware database
const lower = spec.toLowerCase(); const lower = spec.toLowerCase();
if ( if (
lower.startsWith("git+") || lower.startsWith("git+") ||
@ -116,7 +115,7 @@ function parsePipSpec(spec) {
spec.startsWith("../") || spec.startsWith("../") ||
spec.startsWith("/") spec.startsWith("/")
) { ) {
return { name: spec, version: "latest" }; return null;
} }
// Strip extras: package[extra1,extra2] // Strip extras: package[extra1,extra2]

12
packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.spec.js
View file

@ -40,9 +40,8 @@ describe("parsePackagesFromInstallArgs", () => {
]); ]);
}); });
it("should parse multiple constraints", () => { it("should skip ranges", () => {
const result = parsePackagesFromInstallArgs(["install", "requests>=2,<3"]); const result = parsePackagesFromInstallArgs(["install", "requests>=2,<3"]);
// Range specifiers should be skipped since they don't provide exact versions
assert.deepEqual(result, []); assert.deepEqual(result, []);
}); });
@ -69,7 +68,7 @@ describe("parsePackagesFromInstallArgs", () => {
]); ]);
}); });
it("should treat VCS/URL/path specs as names (no version)", () => { it("should skip VCS/URL/path)", () => {
const result = parsePackagesFromInstallArgs([ const result = parsePackagesFromInstallArgs([
"install", "install",
"git+https://github.com/pallets/flask.git", "git+https://github.com/pallets/flask.git",
@ -77,12 +76,7 @@ describe("parsePackagesFromInstallArgs", () => {
"file:/tmp/pkg.whl", "file:/tmp/pkg.whl",
"./localpkg", "./localpkg",
]); ]);
assert.deepEqual(result, [ assert.deepEqual(result, []);
{ name: "git+https://github.com/pallets/flask.git", version: "latest", type: "add" },
{ name: "https://files.pythonhosted.org/packages/foo/bar.whl", version: "latest", type: "add" },
{ name: "file:/tmp/pkg.whl", version: "latest", type: "add" },
{ name: "./localpkg", version: "latest", type: "add" },
]);
}); });
it("should return empty array for no packages", () => { it("should return empty array for no packages", () => {

3
packages/safe-chain/src/registryProxy/registryProxy.connect-tunnel.spec.js
View file

@ -147,6 +147,9 @@ function sendHttpsRequestThroughTunnel(socket, verb, url) {
{ {
socket: socket, socket: socket,
servername: url.hostname, servername: url.hostname,
// Tests should focus on tunnel behavior, not system CA state;
// disable CA verification to avoid flakiness on machines without full roots.
rejectUnauthorized: false,
}, },
() => { () => {
tlsSocket.write( tlsSocket.write(