milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Cleanup pt2

Browse source
This commit is contained in:
Sander Declerck 2026-03-02 16:06:10 +01:00
parent e8a4fbcd76
commit b03c1f6817
No known key found for this signature in database
3 changed files with 13 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

17
packages/safe-chain/src/packagemanager/pip/runPipCommand.js
View file

@ -121,13 +121,13 @@ export async function runPip(command, args) {
let cleanupConfigPath = null; // Track temp file for cleanup let cleanupConfigPath = null; // Track temp file for cleanup
if (isConfigRelatedCommand) { if (isConfigRelatedCommand) {
ui.writeVerbose( `Safe-chain: Skipping PIP_CONFIG_FILE override for 'pip ${args[0]}' command to allow persistent config/cache access.`); ui.writeVerbose(`Safe-chain: Skipping PIP_CONFIG_FILE override for 'pip ${args[0]}' command to allow persistent config/cache access.`);
// Still set the fallback CA bundle environment variables to avoid edge cases where a // Still set the fallback CA bundle environment variables to avoid edge cases where a
// plugin or extension triggers a network call during config introspection // plugin or extension triggers a network call during config introspection
// This can do no harm // This can do no harm
setFallbackCaBundleEnvironmentVariables(env, combinedCaPath); setFallbackCaBundleEnvironmentVariables(env, combinedCaPath);
const result = await safeSpawn(command, args, { const result = await safeSpawn(command, args, {
stdio: "inherit", stdio: "inherit",
env, env,
@ -147,6 +147,7 @@ export async function runPip(command, args) {
await fs.writeFile(pipConfigPath, pipConfig); await fs.writeFile(pipConfigPath, pipConfig);
env.PIP_CONFIG_FILE = pipConfigPath; env.PIP_CONFIG_FILE = pipConfigPath;
cleanupConfigPath = pipConfigPath; cleanupConfigPath = pipConfigPath;
} else if (fsSync.existsSync(env.PIP_CONFIG_FILE)) { } else if (fsSync.existsSync(env.PIP_CONFIG_FILE)) {
ui.writeVerbose("Safe-chain: Merging user provided PIP_CONFIG_FILE with safe-chain certificate and proxy settings."); ui.writeVerbose("Safe-chain: Merging user provided PIP_CONFIG_FILE with safe-chain certificate and proxy settings.");
const userConfig = env.PIP_CONFIG_FILE; const userConfig = env.PIP_CONFIG_FILE;
@ -166,21 +167,19 @@ export async function runPip(command, args) {
// Proxy // Proxy
if (typeof parsed.global.proxy !== "undefined") { if (typeof parsed.global.proxy !== "undefined") {
ui.writeWarning( ui.writeWarning("Safe-chain: User defined proxy found in PIP_CONFIG_FILE. It will be overwritten in the temporary config.");
"Safe-chain: User defined proxy found in PIP_CONFIG_FILE. It will be overwritten in the temporary config.",
);
} }
if (proxy) { if (proxy) {
parsed.global.proxy = proxy; parsed.global.proxy = proxy;
} }
const updated = ini.stringify(parsed); const updated = ini.stringify(parsed);
// Save to a new temp file to avoid overwriting user's original config // Save to a new temp file to avoid overwriting user's original config
await fs.writeFile(pipConfigPath, updated, "utf-8"); await fs.writeFile(pipConfigPath, updated, "utf-8");
env.PIP_CONFIG_FILE = pipConfigPath; env.PIP_CONFIG_FILE = pipConfigPath;
cleanupConfigPath = pipConfigPath; cleanupConfigPath = pipConfigPath;
} else { } else {
// The user provided PIP_CONFIG_FILE does not exist on disk // The user provided PIP_CONFIG_FILE does not exist on disk
// PIP will handle this as an error and inform the user // PIP will handle this as an error and inform the user

9
packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js
View file

@ -24,10 +24,7 @@ describe("runPipCommand environment variable handling", () => {
// Capture the config file content before the function cleans it up // Capture the config file content before the function cleans it up
if (options.env.PIP_CONFIG_FILE) { if (options.env.PIP_CONFIG_FILE) {
try { try {
capturedConfigContent = await fs.readFile( capturedConfigContent = await fs.readFile(options.env.PIP_CONFIG_FILE, "utf-8");
options.env.PIP_CONFIG_FILE,
"utf-8",
);
} catch { } catch {
// Ignore if file doesn't exist or can't be read // Ignore if file doesn't exist or can't be read
} }
@ -211,7 +208,7 @@ describe("runPipCommand environment variable handling", () => {
"install", "install",
"certifi", "certifi",
"--index-url", "--index-url",
"https://test.pypi.org/simple" "https://test.pypi.org/simple",
]); ]);
assert.strictEqual(res.status, 0); assert.strictEqual(res.status, 0);
// Env vars should be set unconditionally // Env vars should be set unconditionally
@ -424,5 +421,5 @@ describe("runPipCommand environment variable handling", () => {
assert.strictEqual(shouldBypassSafeChain("python", ["-m", "pip3"]), false); assert.strictEqual(shouldBypassSafeChain("python", ["-m", "pip3"]), false);
assert.strictEqual(shouldBypassSafeChain("python3", ["-m", "pip3"]), false); assert.strictEqual(shouldBypassSafeChain("python3", ["-m", "pip3"]), false);
}); });
}); });

10
packages/safe-chain/src/registryProxy/builtInProxy/interceptors/npm/npmInterceptor.minPackageAge.spec.js
View file

@ -386,10 +386,7 @@ describe("npmInterceptor minimum package age", async () => {
}, },
}); });
const modifiedBody = await runModifyNpmInfoRequest( const modifiedBody = await runModifyNpmInfoRequest(packageUrl, originalBody);
packageUrl,
originalBody,
);
const modifiedJson = JSON.parse(modifiedBody); const modifiedJson = JSON.parse(modifiedBody);
// All versions should remain unchanged since lodash is excluded // All versions should remain unchanged since lodash is excluded
@ -449,10 +446,7 @@ describe("npmInterceptor minimum package age", async () => {
}, },
}); });
const modifiedBody = await runModifyNpmInfoRequest( const modifiedBody = await runModifyNpmInfoRequest(packageUrl, originalBody);
packageUrl,
originalBody,
);
const modifiedJson = JSON.parse(modifiedBody); const modifiedJson = JSON.parse(modifiedBody);
// All versions should remain for excluded scoped package // All versions should remain for excluded scoped package