milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some small fixes

Browse source
This commit is contained in:
Reinier Criel 2025-11-12 13:30:22 -08:00
parent fdef9e0766
commit f215368c4a
2 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
packages/safe-chain/src/packagemanager/pip/runPipCommand.js
View file

@ -24,6 +24,7 @@ export async function runPip(command, args) {
if (!env.REQUESTS_CA_BUNDLE) { if (!env.REQUESTS_CA_BUNDLE) {
env.REQUESTS_CA_BUNDLE = combinedCaPath; env.REQUESTS_CA_BUNDLE = combinedCaPath;
} }
if (!env.SSL_CERT_FILE) { if (!env.SSL_CERT_FILE) {
env.SSL_CERT_FILE = combinedCaPath; env.SSL_CERT_FILE = combinedCaPath;
} }
@ -33,6 +34,8 @@ export async function runPip(command, args) {
if (!env.PIP_CERT) { if (!env.PIP_CERT) {
env.PIP_CERT = combinedCaPath; env.PIP_CERT = combinedCaPath;
} }
// PIP_CONFIG file is created to ensure proxy and cert settings are applied even if env vars are ignored for certificates (e.g. Python 3.11 and up).
if (!env.PIP_CONFIG_FILE) { if (!env.PIP_CONFIG_FILE) {
const tmpDir = os.tmpdir(); const tmpDir = os.tmpdir();
const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`); const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`);

6
packages/safe-chain/src/registryProxy/certUtils.js
View file

@ -49,6 +49,12 @@ export function generateCertForHost(hostname) {
keyEncipherment: true, keyEncipherment: true,
}, },
{ {
/*
extKeyUsage serverAuth is required for TLS server authentication.
This is especially important for Python venv environments, which use their own
certificate validation logic and will reject certificates lacking the serverAuth EKU.
Adding serverAuth does not impact other usages
*/
name: "extKeyUsage", name: "extKeyUsage",
serverAuth: true, serverAuth: true,
}, },