milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement a proxy blocking tarball requests for packages containing malware.

Browse source
This commit is contained in:
Sander Declerck 2025-09-30 13:52:21 +02:00
parent 04cb001006
commit e2afcb16e3
No known key found for this signature in database
16 changed files with 633 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

30
packages/safe-chain/src/main.js
View file

@ -4,8 +4,13 @@ import { scanCommand, shouldScanCommand } from "./scanning/index.js";
import { ui } from "./environment/userInteraction.js";
import { getPackageManager } from "./packagemanager/currentPackageManager.js";
import { initializeCliArguments } from "./config/cliArguments.js";
import { createSafeChainProxy } from "./registryProxy/registryProxy.js";
import chalk from "chalk";
export async function main(args) {
const proxy = createSafeChainProxy();
await proxy.startServer();
try {
// This parses all the --safe-chain arguments and removes them from the args array
args = initializeCliArguments(args);
@ -18,6 +23,29 @@ export async function main(args) {
process.exit(1);
}
var result = getPackageManager().runCommand(args);
var result = await getPackageManager().runCommand(args);
await proxy.stopServer();
const blockedRequests = proxy.getBlockedRequests();
if (blockedRequests.length > 0) {
ui.emptyLine();
ui.writeInformation(
`Safe-chain: ${chalk.bold(
`blocked ${blockedRequests.length} malicious package downloads`
)}:`
);
for (const req of blockedRequests) {
ui.writeInformation(` - ${req.packageName}@${req.version} (${req.url})`);
}
ui.emptyLine();
ui.writeError("Exiting without installing malicious packages.");
ui.emptyLine();
process.exit(1);
}
process.exit(result.status);
}