milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/main' into bug/win32-command-parsing

Browse source
This commit is contained in:
Reinier Criel 2026-01-12 12:55:55 -08:00
commit a43c28fdec
18 changed files with 1295 additions and 424 deletions
Download patch file Download diff file Expand all files Collapse all files

26
packages/safe-chain/src/config/configFile.js
View file

@ -11,6 +11,7 @@ import { getEcoSystem } from "./settings.js";
* @property {unknown | Number} scanTimeout
* @property {unknown | Number} minimumPackageAgeHours
* @property {unknown | SafeChainRegistryConfiguration} npm
* @property {unknown | SafeChainRegistryConfiguration} pip
*
* @typedef {Object} SafeChainRegistryConfiguration
* We cannot trust the input and should add the necessary validations.
@ -104,6 +105,28 @@ export function getNpmCustomRegistries() {
return customRegistries.filter((item) => typeof item === "string");
}
/**
* Gets the custom npm registries from the config file (format parsing only, no validation)
* @returns {string[]}
*/
export function getPipCustomRegistries() {
const config = readConfigFile();
if (!config || !config.pip) {
return [];
}
// TypeScript needs help understanding that config.pip exists and has customRegistries
const pipConfig = /** @type {SafeChainRegistryConfiguration} */ (config.pip);
const customRegistries = pipConfig.customRegistries;
if (!Array.isArray(customRegistries)) {
return [];
}
return customRegistries.filter((item) => typeof item === "string");
}
/**
* @param {import("../api/aikido.js").MalwarePackage[]} data
* @param {string | number} version
@ -169,6 +192,9 @@ function readConfigFile() {
npm: {
customRegistries: undefined,
},
pip: {
customRegistries: undefined,
},
};
const configFilePath = getConfigFilePath();

156
packages/safe-chain/src/config/configFile.spec.js
View file

@ -232,91 +232,105 @@ describe("getMinimumPackageAgeHours", async () => {
});
});
describe("getNpmCustomRegistries", async () => {
const { getNpmCustomRegistries } = await import("./configFile.js");
const { getNpmCustomRegistries, getPipCustomRegistries } = await import(
"./configFile.js"
);
afterEach(() => {
configFileContent = undefined;
});
it("should return empty array when config file doesn't exist", () => {
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should return empty array when npm config is not set", () => {
configFileContent = JSON.stringify({ scanTimeout: 5000 });
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should return empty array when customRegistries is not an array", () => {
configFileContent = JSON.stringify({
npm: { customRegistries: "not-an-array" },
for (const { packageManager, getCustomRegistries } of [
{
packageManager: "npm",
getCustomRegistries: getNpmCustomRegistries,
},
{
packageManager: "pip",
getCustomRegistries: getPipCustomRegistries,
},
])
{
describe(getCustomRegistries.name, async () => {
afterEach(() => {
configFileContent = undefined;
});
const registries = getNpmCustomRegistries();
it("should return empty array when config file doesn't exist", () => {
configFileContent = undefined;
assert.deepStrictEqual(registries, []);
});
const registries = getCustomRegistries();
it("should return array of custom registries when set", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: ["npm.company.com", "registry.internal.net"],
},
assert.deepStrictEqual(registries, []);
});
const registries = getNpmCustomRegistries();
it(`should return empty array when ${packageManager} config is not set`, () => {
configFileContent = JSON.stringify({ scanTimeout: 5000 });
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
]);
});
const registries = getCustomRegistries();
it("should filter out non-string values", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: [
"npm.company.com",
123,
null,
"registry.internal.net",
undefined,
{},
],
},
assert.deepStrictEqual(registries, []);
});
const registries = getNpmCustomRegistries();
it("should return empty array when customRegistries is not an array", () => {
configFileContent = JSON.stringify({
[packageManager]: { customRegistries: "not-an-array" },
});
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
]);
});
const registries = getCustomRegistries();
it("should return empty array for empty customRegistries array", () => {
configFileContent = JSON.stringify({
npm: { customRegistries: [] },
assert.deepStrictEqual(registries, []);
});
const registries = getNpmCustomRegistries();
it("should return array of custom registries when set", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [`${packageManager}.company.com`, "registry.internal.net"],
},
});
assert.deepStrictEqual(registries, []);
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
]);
});
it("should filter out non-string values", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`${packageManager}.company.com`,
123,
null,
"registry.internal.net",
undefined,
{},
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
]);
});
it("should return empty array for empty customRegistries array", () => {
configFileContent = JSON.stringify({
[packageManager]: { customRegistries: [] },
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should handle malformed JSON and return empty array", () => {
configFileContent = "{ invalid json";
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, []);
});
});
it("should handle malformed JSON and return empty array", () => {
configFileContent = "{ invalid json";
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
});
});
}

19
packages/safe-chain/src/config/environmentVariables.js
View file

@ -15,3 +15,22 @@ export function getMinimumPackageAgeHours() {
export function getNpmCustomRegistries() {
return process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
}
/**
* Gets the custom pip registries from environment variable
* Expected format: comma-separated list of registry domains
* Example: "pip.company.com,registry.internal.net"
* @returns {string | undefined}
*/
export function getPipCustomRegistries() {
return process.env.SAFE_CHAIN_PIP_CUSTOM_REGISTRIES;
}
/**
* Gets the logging level from environment variable
* Valid values: "silent", "normal", "verbose"
* @returns {string | undefined}
*/
export function getLoggingLevel() {
return process.env.SAFE_CHAIN_LOGGING;
}

36
packages/safe-chain/src/config/settings.js
View file

@ -7,14 +7,20 @@ export const LOGGING_NORMAL = "normal";
export const LOGGING_VERBOSE = "verbose";
export function getLoggingLevel() {
const level = cliArguments.getLoggingLevel();
if (level === LOGGING_SILENT) {
return LOGGING_SILENT;
// Priority 1: CLI argument
const cliLevel = cliArguments.getLoggingLevel();
if (cliLevel === LOGGING_SILENT || cliLevel === LOGGING_VERBOSE) {
return cliLevel;
}
if (cliLevel) {
// CLI arg was set but invalid, default to normal for backwards compatibility.
return LOGGING_NORMAL;
}
if (level === LOGGING_VERBOSE) {
return LOGGING_VERBOSE;
// Priority 2: Environment variable
const envLevel = environmentVariables.getLoggingLevel()?.toLowerCase();
if (envLevel === LOGGING_SILENT || envLevel === LOGGING_VERBOSE) {
return envLevel;
}
return LOGGING_NORMAL;
@ -143,3 +149,21 @@ export function getNpmCustomRegistries() {
// Normalize each registry (remove protocol if any)
return uniqueRegistries.map(normalizeRegistry);
}
/**
* Gets the custom npm registries from both environment variable and config file (merged)
* @returns {string[]}
*/
export function getPipCustomRegistries() {
const envRegistries = parseRegistriesFromEnv(
environmentVariables.getPipCustomRegistries()
);
const configRegistries = configFile.getPipCustomRegistries();
// Merge both sources and remove duplicates
const allRegistries = [...envRegistries, ...configRegistries];
const uniqueRegistries = [...new Set(allRegistries)];
// Normalize each registry (remove protocol if any)
return uniqueRegistries.map(normalizeRegistry);
}

498
packages/safe-chain/src/config/settings.spec.js
View file

@ -11,239 +11,357 @@ mock.module("fs", {
},
});
describe("getNpmCustomRegistries", async () => {
const {
getNpmCustomRegistries,
getPipCustomRegistries,
getLoggingLevel,
LOGGING_SILENT,
LOGGING_NORMAL,
LOGGING_VERBOSE,
} = await import("./settings.js");
const { initializeCliArguments } = await import("./cliArguments.js");
for (const { packageManager, getCustomRegistries, envVarName } of [
{
packageManager: "npm",
getCustomRegistries: getNpmCustomRegistries,
envVarName: "SAFE_CHAIN_NPM_CUSTOM_REGISTRIES",
},
{
packageManager: "pip",
getCustomRegistries: getPipCustomRegistries,
envVarName: "SAFE_CHAIN_PIP_CUSTOM_REGISTRIES",
},
]) {
describe(getCustomRegistries.name, async () => {
let originalEnv;
beforeEach(() => {
originalEnv = process.env[envVarName];
});
afterEach(() => {
if (originalEnv !== undefined) {
process.env[envVarName] = originalEnv;
} else {
delete process.env[envVarName];
}
configFileContent = undefined;
});
it("should return empty array when no registries configured", () => {
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should return registries without protocol", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`${packageManager}.company.com`,
"registry.internal.net",
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
]);
});
it("should strip https:// protocol from registries", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`https://${packageManager}.company.com`,
"https://registry.internal.net",
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
]);
});
it("should strip http:// protocol from registries", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`http://${packageManager}.company.com`,
"http://registry.internal.net",
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
]);
});
it("should handle mixed protocols and no protocol", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`https://${packageManager}.company.com`,
"registry.internal.net",
"http://private.registry.io",
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"registry.internal.net",
"private.registry.io",
]);
});
it("should preserve registry path after stripping protocol", () => {
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`https://${packageManager}.company.com/custom/path`,
`registry.internal.net/${packageManager}`,
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com/custom/path`,
`registry.internal.net/${packageManager}`,
]);
});
it("should parse comma-separated registries from environment variable", () => {
delete process.env[envVarName];
process.env[envVarName] = "env1.registry.com,env2.registry.net";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should trim whitespace from environment variable registries", () => {
delete process.env[envVarName];
process.env[envVarName] = " env1.registry.com , env2.registry.net ";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should merge environment variable and config file registries", () => {
delete process.env[envVarName];
process.env[envVarName] = "env1.registry.com";
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: ["config1.registry.net"],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"config1.registry.net",
]);
});
it("should remove duplicate registries when merging env and config", () => {
delete process.env[envVarName];
process.env[
envVarName
] = `${packageManager}.company.com,env.registry.com`;
configFileContent = JSON.stringify({
[packageManager]: {
customRegistries: [
`${packageManager}.company.com`,
"config.registry.net",
],
},
});
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
`${packageManager}.company.com`,
"env.registry.com",
"config.registry.net",
]);
});
it("should normalize protocols from environment variable registries", () => {
delete process.env[envVarName];
process.env[envVarName] =
"https://env1.registry.com,http://env2.registry.net";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should handle empty strings in comma-separated list", () => {
delete process.env[envVarName];
process.env[envVarName] = "env1.registry.com,,env2.registry.net,";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should handle single registry in environment variable", () => {
delete process.env[envVarName];
process.env[envVarName] = "single.registry.com";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, ["single.registry.com"]);
});
it("should return empty array for empty environment variable", () => {
delete process.env[envVarName];
process.env[envVarName] = "";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should return empty array for whitespace-only environment variable", () => {
delete process.env[envVarName];
process.env[envVarName] = " , , ";
configFileContent = undefined;
const registries = getCustomRegistries();
assert.deepStrictEqual(registries, []);
});
});
}
describe("getLoggingLevel", () => {
let originalEnv;
const { getNpmCustomRegistries } = await import("./settings.js");
beforeEach(() => {
originalEnv = process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
originalEnv = process.env.SAFE_CHAIN_LOGGING;
delete process.env.SAFE_CHAIN_LOGGING;
// Reset CLI arguments state
initializeCliArguments([]);
});
afterEach(() => {
if (originalEnv !== undefined) {
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = originalEnv;
process.env.SAFE_CHAIN_LOGGING = originalEnv;
} else {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
delete process.env.SAFE_CHAIN_LOGGING;
}
configFileContent = undefined;
});
it("should return empty array when no registries configured", () => {
configFileContent = undefined;
it("should return normal by default when nothing is configured", () => {
const level = getLoggingLevel();
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
assert.strictEqual(level, LOGGING_NORMAL);
});
it("should return registries without protocol", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: ["npm.company.com", "registry.internal.net"],
},
});
it("should return silent from environment variable", () => {
process.env.SAFE_CHAIN_LOGGING = "silent";
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
]);
assert.strictEqual(level, LOGGING_SILENT);
});
it("should strip https:// protocol from registries", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: [
"https://npm.company.com",
"https://registry.internal.net",
],
},
});
it("should return verbose from environment variable", () => {
process.env.SAFE_CHAIN_LOGGING = "verbose";
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
]);
assert.strictEqual(level, LOGGING_VERBOSE);
});
it("should strip http:// protocol from registries", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: [
"http://npm.company.com",
"http://registry.internal.net",
],
},
});
it("should handle uppercase environment variable values", () => {
process.env.SAFE_CHAIN_LOGGING = "VERBOSE";
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
]);
assert.strictEqual(level, LOGGING_VERBOSE);
});
it("should handle mixed protocols and no protocol", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: [
"https://npm.company.com",
"registry.internal.net",
"http://private.registry.io",
],
},
});
it("should handle mixed case environment variable values", () => {
process.env.SAFE_CHAIN_LOGGING = "Silent";
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"npm.company.com",
"registry.internal.net",
"private.registry.io",
]);
assert.strictEqual(level, LOGGING_SILENT);
});
it("should preserve registry path after stripping protocol", () => {
configFileContent = JSON.stringify({
npm: {
customRegistries: [
"https://npm.company.com/custom/path",
"registry.internal.net/npm",
],
},
});
it("should return normal for invalid environment variable values", () => {
process.env.SAFE_CHAIN_LOGGING = "invalid";
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"npm.company.com/custom/path",
"registry.internal.net/npm",
]);
assert.strictEqual(level, LOGGING_NORMAL);
});
it("should parse comma-separated registries from environment variable", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
"env1.registry.com,env2.registry.net";
configFileContent = undefined;
it("should prioritize CLI argument over environment variable", () => {
process.env.SAFE_CHAIN_LOGGING = "verbose";
initializeCliArguments(["--safe-chain-logging=silent"]);
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
assert.strictEqual(level, LOGGING_SILENT);
});
it("should trim whitespace from environment variable registries", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
" env1.registry.com , env2.registry.net ";
configFileContent = undefined;
it("should use environment variable when CLI argument is not set", () => {
process.env.SAFE_CHAIN_LOGGING = "silent";
initializeCliArguments(["install", "express"]);
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
assert.strictEqual(level, LOGGING_SILENT);
});
it("should merge environment variable and config file registries", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "env1.registry.com";
configFileContent = JSON.stringify({
npm: {
customRegistries: ["config1.registry.net"],
},
});
it("should return normal when CLI argument is invalid (even if env var is valid)", () => {
process.env.SAFE_CHAIN_LOGGING = "verbose";
initializeCliArguments(["--safe-chain-logging=invalid"]);
const registries = getNpmCustomRegistries();
const level = getLoggingLevel();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"config1.registry.net",
]);
});
it("should remove duplicate registries when merging env and config", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
"npm.company.com,env.registry.com";
configFileContent = JSON.stringify({
npm: {
customRegistries: ["npm.company.com", "config.registry.net"],
},
});
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, [
"npm.company.com",
"env.registry.com",
"config.registry.net",
]);
});
it("should normalize protocols from environment variable registries", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
"https://env1.registry.com,http://env2.registry.net";
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should handle empty strings in comma-separated list", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
"env1.registry.com,,env2.registry.net,";
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, [
"env1.registry.com",
"env2.registry.net",
]);
});
it("should handle single registry in environment variable", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "single.registry.com";
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, ["single.registry.com"]);
});
it("should return empty array for empty environment variable", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "";
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
});
it("should return empty array for whitespace-only environment variable", () => {
delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = " , , ";
configFileContent = undefined;
const registries = getNpmCustomRegistries();
assert.deepStrictEqual(registries, []);
assert.strictEqual(level, LOGGING_NORMAL);
});
});

13
packages/safe-chain/src/main.js
View file

@ -13,6 +13,10 @@ import { getAuditStats } from "./scanning/audit/index.js";
* @returns {Promise<number>}
*/
export async function main(args) {
if (isSafeChainVerify(args)) {
return 0;
}
process.on("SIGINT", handleProcessTermination);
process.on("SIGTERM", handleProcessTermination);
@ -104,3 +108,12 @@ export async function main(args) {
function handleProcessTermination() {
ui.writeBufferedLogsAndStopBuffering();
}
/** @param {string[]} args */
function isSafeChainVerify(args) {
const safeChainCheckCommand = "safe-chain-verify";
if (args.length > 0 && args[0] === safeChainCheckCommand) {
ui.writeInformation("OK: Safe-chain works!");
return true;
}
}

9
packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js
View file

@ -1,3 +1,4 @@
import { getPipCustomRegistries } from "../../config/settings.js";
import { isMalwarePackage } from "../../scanning/audit/index.js";
import { interceptRequests } from "./interceptorBuilder.js";
@ -13,7 +14,9 @@ const knownPipRegistries = [
* @returns {import("./interceptorBuilder.js").Interceptor | undefined}
*/
export function pipInterceptorForUrl(url) {
const registry = knownPipRegistries.find((reg) => url.includes(reg));
const customRegistries = getPipCustomRegistries();
const registries = [...knownPipRegistries, ...customRegistries];
const registry = registries.find((reg) => url.includes(reg));
if (registry) {
return buildPipInterceptor(registry);
@ -37,8 +40,8 @@ function buildPipInterceptor(registry) {
// Per python, packages that differ only by hyphen vs underscore are considered the same.
const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName;
const isMalicious =
await isMalwarePackage(packageName, version)
const isMalicious =
await isMalwarePackage(packageName, version)
|| await isMalwarePackage(hyphenName, version);
if (isMalicious) {

199
packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.pipCustomRegistries.spec.js Normal file
View file

@ -0,0 +1,199 @@
import { describe, it, mock } from "node:test";
import assert from "node:assert";
describe("pipInterceptor custom registries", async () => {
let lastPackage;
let malwareResponse = false;
let customRegistries = [];
mock.module("../../config/settings.js", {
namedExports: {
getPipCustomRegistries: () => customRegistries,
},
});
mock.module("../../scanning/audit/index.js", {
namedExports: {
isMalwarePackage: async (packageName, version) => {
lastPackage = { packageName, version };
return malwareResponse;
},
},
});
const { pipInterceptorForUrl } = await import("./pipInterceptor.js");
it("should create interceptor for custom registry", () => {
customRegistries = ["my-custom-registry.example.com"];
const url =
"https://my-custom-registry.example.com/packages/xx/yy/foobar-1.2.3.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.ok(
interceptor,
"Interceptor should be created for custom registry"
);
});
it("should parse package from custom registry URL", async () => {
customRegistries = ["my-custom-registry.example.com"];
const url =
"https://my-custom-registry.example.com/packages/xx/yy/foobar-1.2.3.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.ok(interceptor, "Interceptor should be created");
await interceptor.handleRequest(url);
assert.deepEqual(lastPackage, {
packageName: "foobar",
version: "1.2.3",
});
});
it("should parse wheel package from custom registry URL", async () => {
customRegistries = ["private-pypi.internal.com"];
const url =
"https://private-pypi.internal.com/packages/foo_bar-2.0.0-py3-none-any.whl";
const interceptor = pipInterceptorForUrl(url);
assert.ok(interceptor, "Interceptor should be created");
await interceptor.handleRequest(url);
assert.deepEqual(lastPackage, {
packageName: "foo-bar",
version: "2.0.0",
});
});
it("should handle multiple custom registries", async () => {
customRegistries = [
"registry-one.example.com",
"registry-two.example.com",
];
const url1 =
"https://registry-one.example.com/packages/package1-1.0.0.tar.gz";
const url2 =
"https://registry-two.example.com/packages/package2-2.0.0.tar.gz";
const interceptor1 = pipInterceptorForUrl(url1);
const interceptor2 = pipInterceptorForUrl(url2);
assert.ok(interceptor1, "Interceptor should be created for first registry");
assert.ok(
interceptor2,
"Interceptor should be created for second registry"
);
});
it("should block malicious package from custom registry", async () => {
customRegistries = ["my-custom-registry.example.com"];
malwareResponse = true;
const url =
"https://my-custom-registry.example.com/packages/malicious_package-1.0.0.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.ok(interceptor, "Interceptor should be created");
const result = await interceptor.handleRequest(url);
assert.ok(result.blockResponse, "Should contain a blockResponse");
assert.equal(
result.blockResponse.statusCode,
403,
"Block response should have status code 403"
);
assert.equal(
result.blockResponse.message,
"Forbidden - blocked by safe-chain",
"Block response should have correct status message"
);
malwareResponse = false;
});
it("should still work with known registries when custom registries are set", async () => {
customRegistries = ["my-custom-registry.example.com"];
const url =
"https://files.pythonhosted.org/packages/xx/yy/foobar-1.2.3.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.ok(
interceptor,
"Interceptor should be created for known registry even with custom registries set"
);
await interceptor.handleRequest(url);
assert.deepEqual(lastPackage, {
packageName: "foobar",
version: "1.2.3",
});
});
it("should not create interceptor for unknown registry when custom registries are set", () => {
customRegistries = ["my-custom-registry.example.com"];
const url = "https://unknown-registry.example.com/packages/foobar-1.0.0.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.equal(
interceptor,
undefined,
"Interceptor should be undefined for unknown registry"
);
});
it("should handle empty custom registries array", () => {
customRegistries = [];
const url =
"https://my-custom-registry.example.com/packages/foobar-1.0.0.tar.gz";
const interceptor = pipInterceptorForUrl(url);
assert.equal(
interceptor,
undefined,
"Interceptor should be undefined when no custom registries are configured"
);
});
it("should parse .whl.metadata from custom registry", async () => {
customRegistries = ["private-pypi.internal.com"];
const url =
"https://private-pypi.internal.com/packages/foo_bar-2.0.0-py3-none-any.whl.metadata";
const interceptor = pipInterceptorForUrl(url);
assert.ok(interceptor, "Interceptor should be created");
await interceptor.handleRequest(url);
assert.deepEqual(lastPackage, {
packageName: "foo-bar",
version: "2.0.0",
});
});
it("should parse .tar.gz.metadata from custom registry", async () => {
customRegistries = ["private-pypi.internal.com"];
const url =
"https://private-pypi.internal.com/packages/foo_bar-2.0.0.tar.gz.metadata";
const interceptor = pipInterceptorForUrl(url);
assert.ok(interceptor, "Interceptor should be created");
await interceptor.handleRequest(url);
assert.deepEqual(lastPackage, {
packageName: "foo-bar",
version: "2.0.0",
});
});
});

2
packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
View file

@ -83,6 +83,6 @@ function wrapSafeChainCommand() {
# If the aikido command is not available, print a warning and run the original command
printSafeChainWarning "$original_cmd"
command "$original_cmd" "$@"
command "$@"
fi
}