milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adapt per latest core

Browse source
This commit is contained in:
Reinier Criel 2026-03-20 09:11:02 -07:00
parent 07e315a382
commit ac09534070
4 changed files with 35 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/safe-chain/src/api/aikido.js
View file

@ -11,9 +11,9 @@ const malwareDatabaseUrls = {
[ECOSYSTEM_PY]: "https://malware-list.aikido.dev/malware_pypi.json", [ECOSYSTEM_PY]: "https://malware-list.aikido.dev/malware_pypi.json",
}; };
// TODO: replace with the real CDN URL once core publishes the S3 endpoint
const newPackagesListUrls = { const newPackagesListUrls = {
[ECOSYSTEM_JS]: "https://new-packages.aikido.dev/js_packages.json", [ECOSYSTEM_JS]: "https://malware-list.aikido.dev/releases_npm.json",
[ECOSYSTEM_PY]: "https://malware-list.aikido.dev/releases_pypi.json",
}; };
const DEFAULT_FETCH_RETRY_ATTEMPTS = 4; const DEFAULT_FETCH_RETRY_ATTEMPTS = 4;
@ -27,8 +27,8 @@ const DEFAULT_FETCH_RETRY_ATTEMPTS = 4;
/** /**
* @typedef {Object} NewPackageEntry * @typedef {Object} NewPackageEntry
* @property {string} source * @property {string} [source]
* @property {string} name * @property {string} package_name
* @property {string} version * @property {string} version
* @property {number} released_on - Unix timestamp (seconds) * @property {number} released_on - Unix timestamp (seconds)
* @property {number} scraped_on - Unix timestamp (seconds) * @property {number} scraped_on - Unix timestamp (seconds)

5
packages/safe-chain/src/api/aikido.spec.js
View file

@ -141,8 +141,7 @@ describe("aikido API", async () => {
it("should succeed immediately when fetch succeeds on first try", async () => { it("should succeed immediately when fetch succeeds on first try", async () => {
const releases = [ const releases = [
{ {
source: "NPM", package_name: "fresh-pkg",
name: "fresh-pkg",
version: "1.0.0", version: "1.0.0",
released_on: 123, released_on: 123,
scraped_on: 456, scraped_on: 456,
@ -174,7 +173,7 @@ describe("aikido API", async () => {
}); });
it("should return an empty list without fetching for unsupported ecosystems", async () => { it("should return an empty list without fetching for unsupported ecosystems", async () => {
ecosystem = "py"; ecosystem = "ruby";
const result = await fetchNewPackagesList(); const result = await fetchNewPackagesList();

19
packages/safe-chain/src/scanning/newPackagesDatabase.js
View file

@ -11,6 +11,7 @@ import {
getMinimumPackageAgeHours, getMinimumPackageAgeHours,
getEcoSystem, getEcoSystem,
ECOSYSTEM_JS, ECOSYSTEM_JS,
ECOSYSTEM_PY,
} from "../config/settings.js"; } from "../config/settings.js";
/** /**
@ -23,11 +24,21 @@ let cachedNewPackagesDatabase = null;
let hasWarnedAboutUnavailableNewPackagesDatabase = false; let hasWarnedAboutUnavailableNewPackagesDatabase = false;
/** /**
* Returns the source identifier used in the feed for the current ecosystem. * Returns the ecosystem identifier expected in upstream/core release feeds.
* @returns {string} * @returns {string}
*/ */
function getCurrentFeedSource() { function getCurrentFeedSource() {
return getEcoSystem(); const ecosystem = getEcoSystem();
if (ecosystem === ECOSYSTEM_JS) {
return "npm";
}
if (ecosystem === ECOSYSTEM_PY) {
return "pypi";
}
return ecosystem;
} }
/** /**
@ -73,8 +84,8 @@ export async function openNewPackagesDatabase() {
const entry = newPackagesList.find( const entry = newPackagesList.find(
(pkg) => (pkg) =>
pkg.source?.toLowerCase() === expectedSource && (!pkg.source || pkg.source.toLowerCase() === expectedSource) &&
pkg.name === name && pkg.package_name === name &&
pkg.version === version pkg.version === version
); );

29
packages/safe-chain/src/scanning/newPackagesDatabase.spec.js
View file

@ -96,7 +96,7 @@ describe("newPackagesDatabase", async () => {
describe("isNewlyReleasedPackage", () => { describe("isNewlyReleasedPackage", () => {
it("returns true for a package released within the age threshold", async () => { it("returns true for a package released within the age threshold", async () => {
fetchedList = [ fetchedList = [
{ source: "js", name: "foo", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "foo", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
const db = await openNewPackagesDatabase(); const db = await openNewPackagesDatabase();
@ -105,7 +105,7 @@ describe("newPackagesDatabase", async () => {
it("returns false for a package released outside the age threshold", async () => { it("returns false for a package released outside the age threshold", async () => {
fetchedList = [ fetchedList = [
{ source: "js", name: "foo", version: "1.0.0", released_on: hoursAgo(48), scraped_on: hoursAgo(48) }, { package_name: "foo", version: "1.0.0", released_on: hoursAgo(48), scraped_on: hoursAgo(48) },
]; ];
const db = await openNewPackagesDatabase(); const db = await openNewPackagesDatabase();
@ -121,25 +121,25 @@ describe("newPackagesDatabase", async () => {
it("returns false for a known package but different version", async () => { it("returns false for a known package but different version", async () => {
fetchedList = [ fetchedList = [
{ source: "js", name: "foo", version: "2.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "foo", version: "2.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
const db = await openNewPackagesDatabase(); const db = await openNewPackagesDatabase();
assert.strictEqual(db.isNewlyReleasedPackage("foo", "1.0.0"), false); assert.strictEqual(db.isNewlyReleasedPackage("foo", "1.0.0"), false);
}); });
it("ignores entries from a different source in a mixed feed", async () => { it("matches the current feed ecosystem when source metadata is present", async () => {
fetchedList = [ fetchedList = [
{ {
source: "npm", source: "pypi",
name: "foo", package_name: "foo",
version: "1.0.0", version: "1.0.0",
released_on: hoursAgo(1), released_on: hoursAgo(1),
scraped_on: hoursAgo(1), scraped_on: hoursAgo(1),
}, },
{ {
source: "js", source: "npm",
name: "bar", package_name: "bar",
version: "1.0.0", version: "1.0.0",
released_on: hoursAgo(1), released_on: hoursAgo(1),
scraped_on: hoursAgo(1), scraped_on: hoursAgo(1),
@ -155,7 +155,7 @@ describe("newPackagesDatabase", async () => {
it("respects a custom minimumPackageAgeHours threshold", async () => { it("respects a custom minimumPackageAgeHours threshold", async () => {
minimumPackageAgeHours = 168; // 7 days minimumPackageAgeHours = 168; // 7 days
fetchedList = [ fetchedList = [
{ source: "js", name: "foo", version: "1.0.0", released_on: hoursAgo(100), scraped_on: hoursAgo(100) }, { package_name: "foo", version: "1.0.0", released_on: hoursAgo(100), scraped_on: hoursAgo(100) },
]; ];
const db = await openNewPackagesDatabase(); const db = await openNewPackagesDatabase();
@ -172,7 +172,7 @@ describe("newPackagesDatabase", async () => {
describe("caching behaviour", () => { describe("caching behaviour", () => {
it("uses local cache when etag matches", async () => { it("uses local cache when etag matches", async () => {
cachedList = [ cachedList = [
{ source: "js", name: "cached-pkg", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "cached-pkg", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
cachedVersion = "etag-1"; cachedVersion = "etag-1";
fetchVersionResult = "etag-1"; fetchVersionResult = "etag-1";
@ -185,12 +185,12 @@ describe("newPackagesDatabase", async () => {
it("fetches fresh list when etag does not match", async () => { it("fetches fresh list when etag does not match", async () => {
cachedList = [ cachedList = [
{ source: "js", name: "stale-pkg", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "stale-pkg", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
cachedVersion = "etag-old"; cachedVersion = "etag-old";
fetchVersionResult = "etag-new"; fetchVersionResult = "etag-new";
fetchedList = [ fetchedList = [
{ source: "js", name: "fresh-pkg", version: "2.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "fresh-pkg", version: "2.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
const db = await openNewPackagesDatabase(); const db = await openNewPackagesDatabase();
@ -201,8 +201,7 @@ describe("newPackagesDatabase", async () => {
it("falls back to local cache when fetch fails", async () => { it("falls back to local cache when fetch fails", async () => {
cachedList = [ cachedList = [
{ {
source: "js", package_name: "cached-pkg",
name: "cached-pkg",
version: "1.0.0", version: "1.0.0",
released_on: hoursAgo(1), released_on: hoursAgo(1),
scraped_on: hoursAgo(1), scraped_on: hoursAgo(1),
@ -221,7 +220,7 @@ describe("newPackagesDatabase", async () => {
it("emits a warning when list has no version (cannot be cached)", async () => { it("emits a warning when list has no version (cannot be cached)", async () => {
fetchedList = [ fetchedList = [
{ source: "js", name: "foo", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) }, { package_name: "foo", version: "1.0.0", released_on: hoursAgo(1), scraped_on: hoursAgo(1) },
]; ];
fetchedVersion = undefined; fetchedVersion = undefined;