milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Code Quality

Browse source
This commit is contained in:
Reinier Criel 2026-04-10 15:16:33 -07:00
parent 6628e1d4fd
commit eb9d0bba3e
7 changed files with 68 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
install-scripts/install-safe-chain.ps1
View file

@ -150,6 +150,19 @@ function Remove-VoltaInstallation {
# Main installation # Main installation
function Install-SafeChain { function Install-SafeChain {
# Validate SAFE_CHAIN_DIR before using it to write files
if ($env:SAFE_CHAIN_DIR) {
if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) {
Write-Error-Custom "SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)"
}
if ($env:SAFE_CHAIN_DIR -match '\.\.') {
Write-Error-Custom "SAFE_CHAIN_DIR must not contain path traversal (..)"
}
if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') {
Write-Error-Custom "SAFE_CHAIN_DIR cannot be a root or drive-root directory"
}
}
# Show deprecation warning if SAFE_CHAIN_VERSION is set # Show deprecation warning if SAFE_CHAIN_VERSION is set
if (-not [string]::IsNullOrWhiteSpace($env:SAFE_CHAIN_VERSION)) { if (-not [string]::IsNullOrWhiteSpace($env:SAFE_CHAIN_VERSION)) {
Write-Warn "SAFE_CHAIN_VERSION environment variable is deprecated." Write-Warn "SAFE_CHAIN_VERSION environment variable is deprecated."

14
install-scripts/install-safe-chain.sh
View file

@ -247,6 +247,20 @@ parse_arguments() {
# Main installation # Main installation
main() { main() {
# Validate SAFE_CHAIN_DIR before using it to write files
if [ -n "${SAFE_CHAIN_DIR}" ]; then
case "${SAFE_CHAIN_DIR}" in
/*) ;; # absolute path — OK
*) error "SAFE_CHAIN_DIR must be an absolute path, got: ${SAFE_CHAIN_DIR}" ;;
esac
case "${SAFE_CHAIN_DIR}" in
*../*|*/..*|..) error "SAFE_CHAIN_DIR must not contain path traversal (..)" ;;
esac
if [ "${SAFE_CHAIN_DIR}" = "/" ]; then
error "SAFE_CHAIN_DIR cannot be the root directory"
fi
fi
# Initialize argument flags # Initialize argument flags
USE_CI_SETUP=false USE_CI_SETUP=false

13
install-scripts/uninstall-safe-chain.ps1
View file

@ -75,6 +75,19 @@ function Remove-VoltaInstallation {
# Main uninstallation # Main uninstallation
function Uninstall-SafeChain { function Uninstall-SafeChain {
# Validate SAFE_CHAIN_DIR before using it to delete files
if ($env:SAFE_CHAIN_DIR) {
if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) {
Write-Error-Custom "SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)"
}
if ($env:SAFE_CHAIN_DIR -match '\.\.') {
Write-Error-Custom "SAFE_CHAIN_DIR must not contain path traversal (..)"
}
if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') {
Write-Error-Custom "SAFE_CHAIN_DIR cannot be a root or drive-root directory"
}
}
Write-Info "Uninstalling safe-chain..." Write-Info "Uninstalling safe-chain..."
# Run teardown if safe-chain is available # Run teardown if safe-chain is available

14
install-scripts/uninstall-safe-chain.sh
View file

@ -139,6 +139,20 @@ remove_nvm_installation() {
# Main uninstallation # Main uninstallation
main() { main() {
# Validate SAFE_CHAIN_DIR before using it to delete files
if [ -n "${SAFE_CHAIN_DIR}" ]; then
case "${SAFE_CHAIN_DIR}" in
/*) ;; # absolute path — OK
*) error "SAFE_CHAIN_DIR must be an absolute path, got: ${SAFE_CHAIN_DIR}" ;;
esac
case "${SAFE_CHAIN_DIR}" in
*../*|*/..*|..) error "SAFE_CHAIN_DIR must not contain path traversal (..)" ;;
esac
if [ "${SAFE_CHAIN_DIR}" = "/" ]; then
error "SAFE_CHAIN_DIR cannot be the root directory"
fi
fi
SAFE_CHAIN_LOCATION="$DOT_SAFE_CHAIN/bin/safe-chain" SAFE_CHAIN_LOCATION="$DOT_SAFE_CHAIN/bin/safe-chain"
if [ -x "$SAFE_CHAIN_LOCATION" ]; then if [ -x "$SAFE_CHAIN_LOCATION" ]; then

6
packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish
View file

@ -1,4 +1,8 @@
set -l safe_chain_base (if set -q SAFE_CHAIN_DIR; echo $SAFE_CHAIN_DIR; else; echo $HOME/.safe-chain; end) # Guard against PATH separator injection: reject SAFE_CHAIN_DIR values containing ':'
set -l safe_chain_base $HOME/.safe-chain
if set -q SAFE_CHAIN_DIR; and not string match -q '*:*' -- $SAFE_CHAIN_DIR
set safe_chain_base $SAFE_CHAIN_DIR
end
set -gx PATH $PATH $safe_chain_base/bin set -gx PATH $PATH $safe_chain_base/bin
function npx function npx

8
packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
View file

@ -1,4 +1,10 @@
export PATH="$PATH:${SAFE_CHAIN_DIR:-$HOME/.safe-chain}/bin" # Guard against PATH separator injection: reject SAFE_CHAIN_DIR values containing ':'
case "${SAFE_CHAIN_DIR}" in
*:*) _sc_base="${HOME}/.safe-chain" ;;
*) _sc_base="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" ;;
esac
export PATH="$PATH:${_sc_base}/bin"
unset _sc_base
function npx() { function npx() {
wrapSafeChainCommand "npx" "$@" wrapSafeChainCommand "npx" "$@"

3
packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1
View file

@ -2,7 +2,8 @@
# $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell # $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell
$isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true } $isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true }
$pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' } $pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' }
$safeChainBase = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $HOME '.safe-chain' } # Guard against PATH separator injection: reject SAFE_CHAIN_DIR values containing the path separator
$safeChainBase = if ($env:SAFE_CHAIN_DIR -and -not $env:SAFE_CHAIN_DIR.Contains($pathSeparator)) { $env:SAFE_CHAIN_DIR } else { Join-Path $HOME '.safe-chain' }
$safeChainBin = Join-Path $safeChainBase 'bin' $safeChainBin = Join-Path $safeChainBase 'bin'
$env:PATH = "$env:PATH$pathSeparator$safeChainBin" $env:PATH = "$env:PATH$pathSeparator$safeChainBin"