milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Code Quality

Browse source
This commit is contained in:
Reinier Criel 2026-03-28 11:39:02 -07:00
parent fd6fb456b4
commit aa7bbbd4e9
3 changed files with 66 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

74
packages/safe-chain/src/registryProxy/interceptors/pip/parsePipPackageUrl.js
View file

@ -4,61 +4,79 @@
* @returns {{packageName: string | undefined, version: string | undefined}} * @returns {{packageName: string | undefined, version: string | undefined}}
*/ */
export function parsePipPackageFromUrl(url, registry) { export function parsePipPackageFromUrl(url, registry) {
let packageName, version;
if (!registry || typeof url !== "string") { if (!registry || typeof url !== "string") {
return { packageName, version }; return { packageName: undefined, version: undefined };
} }
let urlObj; let urlObj;
try { try {
urlObj = new URL(url); urlObj = new URL(url);
} catch { } catch {
return { packageName, version }; return { packageName: undefined, version: undefined };
} }
const lastSegment = urlObj.pathname.split("/").filter(Boolean).pop(); const lastSegment = urlObj.pathname.split("/").filter(Boolean).pop();
if (!lastSegment) { if (!lastSegment) {
return { packageName, version }; return { packageName: undefined, version: undefined };
} }
const filename = decodeURIComponent(lastSegment); const filename = decodeURIComponent(lastSegment);
const wheelExtRe = /\.whl(?:\.metadata)?$/; const wheelExtRe = /\.whl(?:\.metadata)?$/;
if (wheelExtRe.test(filename)) { if (wheelExtRe.test(filename)) {
const base = filename.replace(wheelExtRe, ""); return parseWheelFilename(filename, wheelExtRe);
const firstDash = base.indexOf("-");
if (firstDash > 0) {
const dist = base.slice(0, firstDash);
const rest = base.slice(firstDash + 1);
const secondDash = rest.indexOf("-");
const rawVersion = secondDash >= 0 ? rest.slice(0, secondDash) : rest;
packageName = dist;
version = rawVersion;
if (version === "latest" || !packageName || !version) {
return { packageName: undefined, version: undefined };
}
return { packageName, version };
}
} }
const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i; const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i;
if (sdistExtWithMetadataRe.test(filename)) { if (!sdistExtWithMetadataRe.test(filename)) {
const base = filename.replace(sdistExtWithMetadataRe, ""); return { packageName: undefined, version: undefined };
const lastDash = base.lastIndexOf("-"); }
if (lastDash > 0 && lastDash < base.length - 1) {
packageName = base.slice(0, lastDash); return parseSdistFilename(filename, sdistExtWithMetadataRe);
version = base.slice(lastDash + 1); }
/**
* @param {string} filename
* @param {RegExp} wheelExtRe
* @returns {{packageName: string | undefined, version: string | undefined}}
*/
function parseWheelFilename(filename, wheelExtRe) {
const base = filename.replace(wheelExtRe, "");
const firstDash = base.indexOf("-");
if (firstDash <= 0) {
return { packageName: undefined, version: undefined };
}
const packageName = base.slice(0, firstDash);
const rest = base.slice(firstDash + 1);
const secondDash = rest.indexOf("-");
const version = secondDash >= 0 ? rest.slice(0, secondDash) : rest;
if (version === "latest" || !packageName || !version) { if (version === "latest" || !packageName || !version) {
return { packageName: undefined, version: undefined }; return { packageName: undefined, version: undefined };
} }
return { packageName, version }; return { packageName, version };
} }
/**
* @param {string} filename
* @param {RegExp} sdistExtWithMetadataRe
* @returns {{packageName: string | undefined, version: string | undefined}}
*/
function parseSdistFilename(filename, sdistExtWithMetadataRe) {
const base = filename.replace(sdistExtWithMetadataRe, "");
const lastDash = base.lastIndexOf("-");
if (lastDash <= 0 || lastDash >= base.length - 1) {
return { packageName: undefined, version: undefined };
} }
const packageName = base.slice(0, lastDash);
const version = base.slice(lastDash + 1);
if (version === "latest" || !packageName || !version) {
return { packageName: undefined, version: undefined }; return { packageName: undefined, version: undefined };
}
return { packageName, version };
} }

12
packages/safe-chain/src/registryProxy/interceptors/pip/pipInterceptor.js
View file

@ -36,7 +36,15 @@ export function pipInterceptorForUrl(url) {
* @returns {import("../interceptorBuilder.js").Interceptor | undefined} * @returns {import("../interceptorBuilder.js").Interceptor | undefined}
*/ */
function buildPipInterceptor(registry) { function buildPipInterceptor(registry) {
return interceptRequests(async (reqContext) => { return interceptRequests(createPipRequestHandler(registry));
}
/**
* @param {string} registry
* @returns {(reqContext: import("../interceptorBuilder.js").RequestInterceptionContext) => Promise<void>}
*/
function createPipRequestHandler(registry) {
return async (reqContext) => {
const { packageName, version } = parsePipPackageFromUrl( const { packageName, version } = parsePipPackageFromUrl(
reqContext.targetUrl, reqContext.targetUrl,
registry registry
@ -76,5 +84,5 @@ function buildPipInterceptor(registry) {
); );
} }
} }
}); };
} }

8
packages/safe-chain/src/scanning/packageNameVariants.js
View file

@ -10,9 +10,7 @@ export function getEquivalentPackageNames(packageName, ecosystem) {
return [packageName]; return [packageName];
} }
const hyphenName = packageName.replaceAll(/[_.-]/g, "-"); return [...new Set([packageName, ...["-", "_", "."].map((separator) =>
const underscoreName = packageName.replaceAll(/[._-]/g, "_"); packageName.replaceAll(/[._-]/g, separator)
const dotName = packageName.replaceAll(/[_.-]/g, "."); )])];
return [...new Set([packageName, hyphenName, underscoreName, dotName])];
} }