milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use safeSpawn

Browse source
This commit is contained in:
Sander Declerck 2026-02-05 10:24:28 +01:00
parent 3e90c0abd1
commit aa461b27c3
No known key found for this signature in database
7 changed files with 62 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

23
packages/safe-chain/src/shell-integration/helpers.js
View file

@ -1,8 +1,9 @@
import { spawnSync, execSync } from "child_process"; import { spawnSync } from "child_process";
import * as os from "os"; import * as os from "os";
import fs from "fs"; import fs from "fs";
import path from "path"; import path from "path";
import { ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js"; import { ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
import { safeSpawn } from "../utils/safeSpawn.js";
/** /**
* @typedef {Object} AikidoTool * @typedef {Object} AikidoTool
@ -247,9 +248,9 @@ function createFileIfNotExists(filePath) {
/** /**
* Checks if PowerShell execution policy allows script execution * Checks if PowerShell execution policy allows script execution
* @param {string} shellExecutableName - The name of the PowerShell executable ("pwsh" or "powershell") * @param {string} shellExecutableName - The name of the PowerShell executable ("pwsh" or "powershell")
* @returns {{isValid: boolean, policy: string}} validation result * @returns {Promise<{isValid: boolean, policy: string}>} validation result
*/ */
export function validatePowerShellExecutionPolicy(shellExecutableName) { export async function validatePowerShellExecutionPolicy(shellExecutableName) {
// Security: Only allow known shell executables // Security: Only allow known shell executables
const validShells = ["pwsh", "powershell"]; const validShells = ["pwsh", "powershell"];
if (!validShells.includes(shellExecutableName)) { if (!validShells.includes(shellExecutableName)) {
@ -257,16 +258,12 @@ export function validatePowerShellExecutionPolicy(shellExecutableName) {
} }
try { try {
// Security: Use literal command string, no interpolation const commandResult = await safeSpawn(shellExecutableName, [
// Import the Security module first - works for both powershell.exe and pwsh.exe "-Command",
const policy = execSync( "Get-ExecutionPolicy",
"Import-Module Microsoft.PowerShell.Security; Get-ExecutionPolicy", ]);
{
encoding: "utf8", const policy = commandResult.stdout.trim();
shell: shellExecutableName,
timeout: 5000, // 5 second timeout
}
).trim();
const acceptablePolicies = ["RemoteSigned", "Unrestricted", "Bypass"]; const acceptablePolicies = ["RemoteSigned", "Unrestricted", "Bypass"];
return { return {

32
packages/safe-chain/src/shell-integration/setup.js
View file

@ -1,7 +1,11 @@
import chalk from "chalk"; import chalk from "chalk";
import { ui } from "../environment/userInteraction.js"; import { ui } from "../environment/userInteraction.js";
import { detectShells } from "./shellDetection.js"; import { detectShells } from "./shellDetection.js";
import { knownAikidoTools, getPackageManagerList, getScriptsDir } from "./helpers.js"; import {
knownAikidoTools,
getPackageManagerList,
getScriptsDir,
} from "./helpers.js";
import fs from "fs"; import fs from "fs";
import path from "path"; import path from "path";
import { fileURLToPath } from "url"; import { fileURLToPath } from "url";
@ -26,7 +30,7 @@ if (import.meta.url) {
export async function setup() { export async function setup() {
ui.writeInformation( ui.writeInformation(
chalk.bold("Setting up shell aliases.") + chalk.bold("Setting up shell aliases.") +
` This will wrap safe-chain around ${getPackageManagerList()}.` ` This will wrap safe-chain around ${getPackageManagerList()}.`,
); );
ui.emptyLine(); ui.emptyLine();
@ -42,12 +46,12 @@ export async function setup() {
ui.writeInformation( ui.writeInformation(
`Detected ${shells.length} supported shell(s): ${shells `Detected ${shells.length} supported shell(s): ${shells
.map((shell) => chalk.bold(shell.name)) .map((shell) => chalk.bold(shell.name))
.join(", ")}.` .join(", ")}.`,
); );
let updatedCount = 0; let updatedCount = 0;
for (const shell of shells) { for (const shell of shells) {
if (setupShell(shell)) { if (await setupShell(shell)) {
updatedCount++; updatedCount++;
} }
} }
@ -58,7 +62,7 @@ export async function setup() {
} }
} catch (/** @type {any} */ error) { } catch (/** @type {any} */ error) {
ui.writeError( ui.writeError(
`Failed to set up shell aliases: ${error.message}. Please check your shell configuration.` `Failed to set up shell aliases: ${error.message}. Please check your shell configuration.`,
); );
return; return;
} }
@ -68,12 +72,12 @@ export async function setup() {
* Calls the setup function for the given shell and reports the result. * Calls the setup function for the given shell and reports the result.
* @param {import("./shellDetection.js").Shell} shell * @param {import("./shellDetection.js").Shell} shell
*/ */
function setupShell(shell) { async function setupShell(shell) {
let success = false; let success = false;
let error; let error;
try { try {
shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases
success = shell.setup(knownAikidoTools); success = await shell.setup(knownAikidoTools);
} catch (/** @type {any} */ err) { } catch (/** @type {any} */ err) {
success = false; success = false;
error = err; error = err;
@ -82,14 +86,14 @@ function setupShell(shell) {
if (success) { if (success) {
ui.writeInformation( ui.writeInformation(
`${chalk.bold("- " + shell.name + ":")} ${chalk.green( `${chalk.bold("- " + shell.name + ":")} ${chalk.green(
"Setup successful" "Setup successful",
)}` )}`,
); );
} else { } else {
ui.writeError( ui.writeError(
`${chalk.bold("- " + shell.name + ":")} ${chalk.red( `${chalk.bold("- " + shell.name + ":")} ${chalk.red(
"Setup failed" "Setup failed",
)}. Please check your ${shell.name} configuration.` )}. Please check your ${shell.name} configuration.`,
); );
if (error) { if (error) {
let message = ` Error: ${error.message}`; let message = ` Error: ${error.message}`;
@ -115,11 +119,7 @@ function copyStartupFiles() {
} }
// Use absolute path for source // Use absolute path for source
const sourcePath = path.join( const sourcePath = path.join(dirname, "startup-scripts", file);
dirname,
"startup-scripts",
file
);
fs.copyFileSync(sourcePath, targetPath); fs.copyFileSync(sourcePath, targetPath);
} }
} }

4
packages/safe-chain/src/shell-integration/shellDetection.js
View file

@ -9,7 +9,7 @@ import { ui } from "../environment/userInteraction.js";
* @typedef {Object} Shell * @typedef {Object} Shell
* @property {string} name * @property {string} name
* @property {() => boolean} isInstalled * @property {() => boolean} isInstalled
* @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} setup * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean|Promise<boolean>} setup
* @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} teardown * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} teardown
*/ */
@ -28,7 +28,7 @@ export function detectShells() {
} }
} catch (/** @type {any} */ error) { } catch (/** @type {any} */ error) {
ui.writeError( ui.writeError(
`We were not able to detect which shells are installed on your system. Please check your shell configuration. Error: ${error.message}` `We were not able to detect which shells are installed on your system. Please check your shell configuration. Error: ${error.message}`,
); );
return []; return [];
} }

15
packages/safe-chain/src/shell-integration/supported-shells/powershell.js
View file

@ -26,27 +26,28 @@ function teardown(tools) {
// Remove any existing alias for the tool // Remove any existing alias for the tool
removeLinesMatchingPattern( removeLinesMatchingPattern(
startupFile, startupFile,
new RegExp(`^Set-Alias\\s+${tool}\\s+`) new RegExp(`^Set-Alias\\s+${tool}\\s+`),
); );
} }
// Remove the line that sources the safe-chain PowerShell initialization script // Remove the line that sources the safe-chain PowerShell initialization script
removeLinesMatchingPattern( removeLinesMatchingPattern(
startupFile, startupFile,
/^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/ /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/,
); );
return true; return true;
} }
function setup() { async function setup() {
// Check execution policy // Check execution policy
const { isValid, policy } = validatePowerShellExecutionPolicy(executableName); const { isValid, policy } =
await validatePowerShellExecutionPolicy(executableName);
if (!isValid) { if (!isValid) {
throw new Error( throw new Error(
`PowerShell execution policy is set to '${policy}', which prevents safe-chain from running. ` + `PowerShell execution policy is set to '${policy}', which prevents safe-chain from running. ` +
`To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. ` + `To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. ` +
`For more information, see: https://github.com/AikidoSec/safe-chain/blob/main/docs/troubleshooting.md#powershell-execution-policy-blocks-scripts-windows` `For more information, see: https://github.com/AikidoSec/safe-chain/blob/main/docs/troubleshooting.md#powershell-execution-policy-blocks-scripts-windows`,
); );
} }
@ -54,7 +55,7 @@ function setup() {
addLineToFile( addLineToFile(
startupFile, startupFile,
`. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script` `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`,
); );
return true; return true;
@ -68,7 +69,7 @@ function getStartupFile() {
}).trim(); }).trim();
} catch (/** @type {any} */ error) { } catch (/** @type {any} */ error) {
throw new Error( throw new Error(
`Command failed: ${startupFileCommand}. Error: ${error.message}` `Command failed: ${startupFileCommand}. Error: ${error.message}`,
); );
} }
} }

18
packages/safe-chain/src/shell-integration/supported-shells/powershell.spec.js
View file

@ -76,8 +76,8 @@ describe("PowerShell Core shell integration", () => {
}); });
describe("setup", () => { describe("setup", () => {
it("should add init-pwsh.ps1 source line", () => { it("should add init-pwsh.ps1 source line", async () => {
const result = powershell.setup(); const result = await powershell.setup();
assert.strictEqual(result, true); assert.strictEqual(result, true);
const content = fs.readFileSync(mockStartupFile, "utf-8"); const content = fs.readFileSync(mockStartupFile, "utf-8");
@ -175,9 +175,9 @@ describe("PowerShell Core shell integration", () => {
}); });
describe("integration tests", () => { describe("integration tests", () => {
it("should handle complete setup and teardown cycle", () => { it("should handle complete setup and teardown cycle", async () => {
// Setup // Setup
powershell.setup(); await powershell.setup();
let content = fs.readFileSync(mockStartupFile, "utf-8"); let content = fs.readFileSync(mockStartupFile, "utf-8");
assert.ok( assert.ok(
content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"'), content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"'),
@ -191,10 +191,10 @@ describe("PowerShell Core shell integration", () => {
); );
}); });
it("should handle multiple setup calls", () => { it("should handle multiple setup calls", async () => {
powershell.setup(); await powershell.setup();
powershell.teardown(knownAikidoTools); powershell.teardown(knownAikidoTools);
powershell.setup(); await powershell.setup();
const content = fs.readFileSync(mockStartupFile, "utf-8"); const content = fs.readFileSync(mockStartupFile, "utf-8");
const sourceMatches = ( const sourceMatches = (
@ -206,13 +206,13 @@ describe("PowerShell Core shell integration", () => {
}); });
describe("execution policy", () => { describe("execution policy", () => {
it(`should throw for restricted policies`, () => { it(`should throw for restricted policies`, async () => {
executionPolicyResult = { executionPolicyResult = {
isValid: false, isValid: false,
policy: "Restricted", policy: "Restricted",
}; };
assert.throws( await assert.rejects(
() => powershell.setup(), () => powershell.setup(),
(err) => (err) =>
err.message.startsWith( err.message.startsWith(

15
packages/safe-chain/src/shell-integration/supported-shells/windowsPowershell.js
View file

@ -26,27 +26,28 @@ function teardown(tools) {
// Remove any existing alias for the tool // Remove any existing alias for the tool
removeLinesMatchingPattern( removeLinesMatchingPattern(
startupFile, startupFile,
new RegExp(`^Set-Alias\\s+${tool}\\s+`) new RegExp(`^Set-Alias\\s+${tool}\\s+`),
); );
} }
// Remove the line that sources the safe-chain PowerShell initialization script // Remove the line that sources the safe-chain PowerShell initialization script
removeLinesMatchingPattern( removeLinesMatchingPattern(
startupFile, startupFile,
/^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/ /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/,
); );
return true; return true;
} }
function setup() { async function setup() {
// Check execution policy // Check execution policy
const { isValid, policy } = validatePowerShellExecutionPolicy(executableName); const { isValid, policy } =
await validatePowerShellExecutionPolicy(executableName);
if (!isValid) { if (!isValid) {
throw new Error( throw new Error(
`PowerShell execution policy is set to '${policy}', which prevents safe-chain from running. ` + `PowerShell execution policy is set to '${policy}', which prevents safe-chain from running. ` +
`To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. ` + `To fix this, open PowerShell as Administrator and run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. ` +
`For more information, see: https://github.com/AikidoSec/safe-chain/blob/main/docs/troubleshooting.md#powershell-execution-policy-blocks-scripts-windows` `For more information, see: https://github.com/AikidoSec/safe-chain/blob/main/docs/troubleshooting.md#powershell-execution-policy-blocks-scripts-windows`,
); );
} }
@ -54,7 +55,7 @@ function setup() {
addLineToFile( addLineToFile(
startupFile, startupFile,
`. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script` `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`,
); );
return true; return true;
@ -68,7 +69,7 @@ function getStartupFile() {
}).trim(); }).trim();
} catch (/** @type {any} */ error) { } catch (/** @type {any} */ error) {
throw new Error( throw new Error(
`Command failed: ${startupFileCommand}. Error: ${error.message}` `Command failed: ${startupFileCommand}. Error: ${error.message}`,
); );
} }
} }

18
packages/safe-chain/src/shell-integration/supported-shells/windowsPowershell.spec.js
View file

@ -76,8 +76,8 @@ describe("Windows PowerShell shell integration", () => {
}); });
describe("setup", () => { describe("setup", () => {
it("should add init-pwsh.ps1 source line", () => { it("should add init-pwsh.ps1 source line", async () => {
const result = windowsPowershell.setup(); const result = await windowsPowershell.setup();
assert.strictEqual(result, true); assert.strictEqual(result, true);
const content = fs.readFileSync(mockStartupFile, "utf-8"); const content = fs.readFileSync(mockStartupFile, "utf-8");
@ -175,9 +175,9 @@ describe("Windows PowerShell shell integration", () => {
}); });
describe("integration tests", () => { describe("integration tests", () => {
it("should handle complete setup and teardown cycle", () => { it("should handle complete setup and teardown cycle", async () => {
// Setup // Setup
windowsPowershell.setup(); await windowsPowershell.setup();
let content = fs.readFileSync(mockStartupFile, "utf-8"); let content = fs.readFileSync(mockStartupFile, "utf-8");
assert.ok( assert.ok(
content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"'), content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"'),
@ -191,10 +191,10 @@ describe("Windows PowerShell shell integration", () => {
); );
}); });
it("should handle multiple setup calls", () => { it("should handle multiple setup calls", async () => {
windowsPowershell.setup(); await windowsPowershell.setup();
windowsPowershell.teardown(knownAikidoTools); windowsPowershell.teardown(knownAikidoTools);
windowsPowershell.setup(); await windowsPowershell.setup();
const content = fs.readFileSync(mockStartupFile, "utf-8"); const content = fs.readFileSync(mockStartupFile, "utf-8");
const sourceMatches = ( const sourceMatches = (
@ -206,13 +206,13 @@ describe("Windows PowerShell shell integration", () => {
}); });
describe("execution policy", () => { describe("execution policy", () => {
it(`should throw for restricted policies`, () => { it(`should throw for restricted policies`, async () => {
executionPolicyResult = { executionPolicyResult = {
isValid: false, isValid: false,
policy: "Restricted", policy: "Restricted",
}; };
assert.throws( await assert.rejects(
() => windowsPowershell.setup(), () => windowsPowershell.setup(),
(err) => (err) =>
err.message.startsWith( err.message.startsWith(