Merge pull request #13 from AikidoSec/powershell-safe-chain-detection

Powershell: Use functions to wrap package managers and detect if the aikido commands are available
2026-05-26 12:10:49 +00:00 · 2025-08-04 10:23:55 +02:00 · 2025-08-04 10:23:55 +02:00 · dce6350816
commit dce6350816
parent b8ac2e3bc1 2a7e2e3ed8
6 changed files with 193 additions and 113 deletions
--- a/src/shell-integration/setup.js
+++ b/src/shell-integration/setup.js
@ -81,7 +81,7 @@ function setupShell(shell) {
 }

 function copyStartupFiles() {
-  const startupFiles = ["init-posix.sh"];
+  const startupFiles = ["init-posix.sh", "init-pwsh.ps1"];

  for (const file of startupFiles) {
    const targetDir = path.join(os.homedir(), ".safe-chain", "scripts");
--- a/src/shell-integration/startup-scripts/init-pwsh.ps1
+++ b/src/shell-integration/startup-scripts/init-pwsh.ps1
@ -0,0 +1,80 @@
+function Write-SafeChainWarning {
+    param([string]$Command)
+    
+    # PowerShell equivalent of ANSI color codes: yellow background, black text for "Warning:"
+    Write-Host "Warning:" -BackgroundColor Yellow -ForegroundColor Black -NoNewline
+    Write-Host " safe-chain is not available to protect you from installing malware. $Command will be run directly."
+    
+    # Cyan text for the install command
+    Write-Host "Install safe-chain by using " -NoNewline
+    Write-Host "npm install -g @aikidosec/safe-chain" -ForegroundColor Cyan -NoNewline
+    Write-Host "."
+}
+
+function Test-CommandAvailable {
+    param([string]$Command)
+    
+    try {
+        Get-Command $Command -ErrorAction Stop | Out-Null
+        return $true
+    }
+    catch {
+        return $false
+    }
+}
+
+function Invoke-RealCommand {
+    param(
+        [string]$Command,
+        [string[]]$Arguments
+    )
+    
+    # Find the real executable to avoid calling our wrapped functions
+    $realCommand = Get-Command -Name $Command -CommandType Application | Select-Object -First 1
+    if ($realCommand) {
+        & $realCommand.Source @Arguments
+    }
+}
+
+function Invoke-WrappedCommand {
+    param(
+        [string]$OriginalCmd,
+        [string]$AikidoCmd,
+        [string[]]$Arguments
+    )
+
+    if (Test-CommandAvailable $AikidoCmd) {
+        & $AikidoCmd @Arguments
+    }
+    else {
+        Write-SafeChainWarning $OriginalCmd
+        Invoke-RealCommand $OriginalCmd $Arguments
+    }
+}
+
+function npx {
+    Invoke-WrappedCommand "npx" "aikido-npx" $args
+}
+
+function yarn {
+    Invoke-WrappedCommand "yarn" "aikido-yarn" $args
+}
+
+function pnpm {
+    Invoke-WrappedCommand "pnpm" "aikido-pnpm" $args
+}
+
+function pnpx {
+    Invoke-WrappedCommand "pnpx" "aikido-pnpx" $args
+}
+
+function npm {
+    # If args is just -v or --version and nothing else, just run the npm version command
+    # This is because nvm uses this to check the version of npm
+    if (($args.Length -eq 1) -and (($args[0] -eq "-v") -or ($args[0] -eq "--version"))) {
+        Invoke-RealCommand "npm" $args
+        return
+    }
+    
+    Invoke-WrappedCommand "npm" "aikido-npm" $args
+}
--- a/src/shell-integration/supported-shells/powershell.js
+++ b/src/shell-integration/supported-shells/powershell.js
@ -24,18 +24,22 @@ function teardown(tools) {
    );
  }

+  // Remove the line that sources the safe-chain PowerShell initialization script
+  removeLinesMatchingPattern(
+    startupFile,
+    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/
+  );
+
  return true;
 }

-function setup(tools) {
+function setup() {
  const startupFile = getStartupFile();

-  for (const { tool, aikidoCommand } of tools) {
-    addLineToFile(
-      startupFile,
-      `Set-Alias ${tool} ${aikidoCommand} # Safe-chain alias for ${tool}`
-    );
-  }
+  addLineToFile(
+    startupFile,
+    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`
+  );

  return true;
 }
--- a/src/shell-integration/supported-shells/powershell.spec.js
+++ b/src/shell-integration/supported-shells/powershell.spec.js
@ -69,49 +69,47 @@ describe("PowerShell Core shell integration", () => {
  });

  describe("setup", () => {
-    it("should add aliases for all provided tools", () => {
-      const tools = [
-        { tool: "npm", aikidoCommand: "aikido-npm" },
-        { tool: "npx", aikidoCommand: "aikido-npx" },
-        { tool: "yarn", aikidoCommand: "aikido-yarn" },
-      ];
-
-      const result = powershell.setup(tools);
+    it("should add init-pwsh.ps1 source line", () => {
+      const result = powershell.setup();
      assert.strictEqual(result, true);

      const content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(
-        content.includes("Set-Alias npm aikido-npm # Safe-chain alias for npm")
-      );
-      assert.ok(
-        content.includes("Set-Alias npx aikido-npx # Safe-chain alias for npx")
-      );
      assert.ok(
        content.includes(
-          "Set-Alias yarn aikido-yarn # Safe-chain alias for yarn"
+          '. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script'
        )
      );
    });
-
-    it("should handle empty tools array", () => {
-      const result = powershell.setup([]);
-      assert.strictEqual(result, true);
-
-      // File should be created during teardown call even if no tools are provided
-      if (fs.existsSync(mockStartupFile)) {
-        const content = fs.readFileSync(mockStartupFile, "utf-8");
-        assert.strictEqual(content.trim(), "");
-      }
-    });
  });

  describe("teardown", () => {
-    it("should remove npm, npx, and yarn aliases", () => {
+    it("should remove init-pwsh.ps1 source line", () => {
      const initialContent = [
        "# PowerShell profile",
-        "Set-Alias npm aikido-npm",
-        "Set-Alias npx aikido-npx",
-        "Set-Alias yarn aikido-yarn",
+        '. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script',
+        "Set-Alias ls Get-ChildItem",
+        "Set-Alias grep Select-String",
+      ].join("\n");
+
+      fs.writeFileSync(mockStartupFile, initialContent, "utf-8");
+
+      const result = powershell.teardown(knownAikidoTools);
+      assert.strictEqual(result, true);
+
+      const content = fs.readFileSync(mockStartupFile, "utf-8");
+      assert.ok(
+        !content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );
+      assert.ok(content.includes("Set-Alias ls "));
+      assert.ok(content.includes("Set-Alias grep "));
+    });
+
+    it("should remove old-style aliases from earlier versions", () => {
+      const initialContent = [
+        "# PowerShell profile",
+        "Set-Alias npm aikido-npm # Safe-chain alias for npm",
+        "Set-Alias npx aikido-npx # Safe-chain alias for npx",
+        "Set-Alias yarn aikido-yarn # Safe-chain alias for yarn",
        "Set-Alias ls Get-ChildItem",
        "Set-Alias grep Select-String",
      ].join("\n");
@ -138,7 +136,7 @@ describe("PowerShell Core shell integration", () => {
      assert.strictEqual(result, true);
    });

-    it("should handle file with no relevant aliases", () => {
+    it("should handle file with no relevant content", () => {
      const initialContent = [
        "# PowerShell profile",
        "Set-Alias ls Get-ChildItem",
@ -171,34 +169,32 @@ describe("PowerShell Core shell integration", () => {

  describe("integration tests", () => {
    it("should handle complete setup and teardown cycle", () => {
-      const tools = [
-        { tool: "npm", aikidoCommand: "aikido-npm" },
-        { tool: "yarn", aikidoCommand: "aikido-yarn" },
-      ];
-
      // Setup
-      powershell.setup(tools);
+      powershell.setup();
      let content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(content.includes("Set-Alias npm aikido-npm"));
-      assert.ok(content.includes("Set-Alias yarn aikido-yarn"));
+      assert.ok(
+        content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );

      // Teardown
-      powershell.teardown(tools);
+      powershell.teardown(knownAikidoTools);
      content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(!content.includes("Set-Alias npm "));
-      assert.ok(!content.includes("Set-Alias yarn "));
+      assert.ok(
+        !content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );
    });

    it("should handle multiple setup calls", () => {
-      const tools = [{ tool: "npm", aikidoCommand: "aikido-npm" }];
-
-      powershell.setup(tools);
-      powershell.teardown(tools);
-      powershell.setup(tools);
+      powershell.setup();
+      powershell.teardown(knownAikidoTools);
+      powershell.setup();

      const content = fs.readFileSync(mockStartupFile, "utf-8");
-      const npmMatches = (content.match(/Set-Alias npm /g) || []).length;
-      assert.strictEqual(npmMatches, 1, "Should not duplicate aliases");
+      const sourceMatches = (
+        content.match(/\. "\$HOME\\.safe-chain\\scripts\\init-pwsh\.ps1"/g) ||
+        []
+      ).length;
+      assert.strictEqual(sourceMatches, 1, "Should not duplicate source lines");
    });
  });
 });
--- a/src/shell-integration/supported-shells/windowsPowershell.js
+++ b/src/shell-integration/supported-shells/windowsPowershell.js
@ -24,18 +24,22 @@ function teardown(tools) {
    );
  }

+  // Remove the line that sources the safe-chain PowerShell initialization script
+  removeLinesMatchingPattern(
+    startupFile,
+    /^\.\s+["']?\$HOME[/\\].safe-chain[/\\]scripts[/\\]init-pwsh\.ps1["']?/
+  );
+
  return true;
 }

-function setup(tools) {
+function setup() {
  const startupFile = getStartupFile();

-  for (const { tool, aikidoCommand } of tools) {
-    addLineToFile(
-      startupFile,
-      `Set-Alias ${tool} ${aikidoCommand} # Safe-chain alias for ${tool}`
-    );
-  }
+  addLineToFile(
+    startupFile,
+    `. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script`
+  );

  return true;
 }
--- a/src/shell-integration/supported-shells/windowsPowershell.spec.js
+++ b/src/shell-integration/supported-shells/windowsPowershell.spec.js
@ -69,49 +69,47 @@ describe("Windows PowerShell shell integration", () => {
  });

  describe("setup", () => {
-    it("should add aliases for all provided tools", () => {
-      const tools = [
-        { tool: "npm", aikidoCommand: "aikido-npm" },
-        { tool: "npx", aikidoCommand: "aikido-npx" },
-        { tool: "yarn", aikidoCommand: "aikido-yarn" },
-      ];
-
-      const result = windowsPowershell.setup(tools);
+    it("should add init-pwsh.ps1 source line", () => {
+      const result = windowsPowershell.setup();
      assert.strictEqual(result, true);

      const content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(
-        content.includes("Set-Alias npm aikido-npm # Safe-chain alias for npm")
-      );
-      assert.ok(
-        content.includes("Set-Alias npx aikido-npx # Safe-chain alias for npx")
-      );
      assert.ok(
        content.includes(
-          "Set-Alias yarn aikido-yarn # Safe-chain alias for yarn"
+          '. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script'
        )
      );
    });
-
-    it("should handle empty tools array", () => {
-      const result = windowsPowershell.setup([]);
-      assert.strictEqual(result, true);
-
-      // File should be created during teardown call even if no tools are provided
-      if (fs.existsSync(mockStartupFile)) {
-        const content = fs.readFileSync(mockStartupFile, "utf-8");
-        assert.strictEqual(content.trim(), "");
-      }
-    });
  });

  describe("teardown", () => {
-    it("should remove npm, npx, and yarn aliases", () => {
+    it("should remove init-pwsh.ps1 source line", () => {
      const initialContent = [
        "# Windows PowerShell profile",
-        "Set-Alias npm aikido-npm",
-        "Set-Alias npx aikido-npx",
-        "Set-Alias yarn aikido-yarn",
+        '. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1" # Safe-chain PowerShell initialization script',
+        "Set-Alias ls Get-ChildItem",
+        "Set-Alias grep Select-String",
+      ].join("\n");
+
+      fs.writeFileSync(mockStartupFile, initialContent, "utf-8");
+
+      const result = windowsPowershell.teardown(knownAikidoTools);
+      assert.strictEqual(result, true);
+
+      const content = fs.readFileSync(mockStartupFile, "utf-8");
+      assert.ok(
+        !content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );
+      assert.ok(content.includes("Set-Alias ls "));
+      assert.ok(content.includes("Set-Alias grep "));
+    });
+
+    it("should remove old-style aliases from earlier versions", () => {
+      const initialContent = [
+        "# Windows PowerShell profile",
+        "Set-Alias npm aikido-npm # Safe-chain alias for npm",
+        "Set-Alias npx aikido-npx # Safe-chain alias for npx",
+        "Set-Alias yarn aikido-yarn # Safe-chain alias for yarn",
        "Set-Alias ls Get-ChildItem",
        "Set-Alias grep Select-String",
      ].join("\n");
@ -138,7 +136,7 @@ describe("Windows PowerShell shell integration", () => {
      assert.strictEqual(result, true);
    });

-    it("should handle file with no relevant aliases", () => {
+    it("should handle file with no relevant content", () => {
      const initialContent = [
        "# Windows PowerShell profile",
        "Set-Alias ls Get-ChildItem",
@ -171,34 +169,32 @@ describe("Windows PowerShell shell integration", () => {

  describe("integration tests", () => {
    it("should handle complete setup and teardown cycle", () => {
-      const tools = [
-        { tool: "npm", aikidoCommand: "aikido-npm" },
-        { tool: "yarn", aikidoCommand: "aikido-yarn" },
-      ];
-
      // Setup
-      windowsPowershell.setup(tools);
+      windowsPowershell.setup();
      let content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(content.includes("Set-Alias npm aikido-npm"));
-      assert.ok(content.includes("Set-Alias yarn aikido-yarn"));
+      assert.ok(
+        content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );

      // Teardown
-      windowsPowershell.teardown(tools);
+      windowsPowershell.teardown(knownAikidoTools);
      content = fs.readFileSync(mockStartupFile, "utf-8");
-      assert.ok(!content.includes("Set-Alias npm "));
-      assert.ok(!content.includes("Set-Alias yarn "));
+      assert.ok(
+        !content.includes('. "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"')
+      );
    });

    it("should handle multiple setup calls", () => {
-      const tools = [{ tool: "npm", aikidoCommand: "aikido-npm" }];
-
-      windowsPowershell.setup(tools);
-      windowsPowershell.teardown(tools);
-      windowsPowershell.setup(tools);
+      windowsPowershell.setup();
+      windowsPowershell.teardown(knownAikidoTools);
+      windowsPowershell.setup();

      const content = fs.readFileSync(mockStartupFile, "utf-8");
-      const npmMatches = (content.match(/Set-Alias npm /g) || []).length;
-      assert.strictEqual(npmMatches, 1, "Should not duplicate aliases");
+      const sourceMatches = (
+        content.match(/\. "\$HOME\\.safe-chain\\scripts\\init-pwsh\.ps1"/g) ||
+        []
+      ).length;
+      assert.strictEqual(sourceMatches, 1, "Should not duplicate source lines");
    });
  });
 });