milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add tests

Browse source
This commit is contained in:
Reinier Criel 2025-10-22 14:51:44 -07:00
parent 1f707c1e13
commit fbb7e0f95f
10 changed files with 1934 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

13
packages/safe-chain/src/registryProxy/registryProxy.js
View file

@ -4,7 +4,7 @@ import { mitmConnect } from "./mitmRequestHandler.js";
import { handleHttpProxyRequest } from "./plainHttpProxy.js";
import { getCaCertPath } from "./certUtils.js";
import { auditChanges } from "../scanning/audit/index.js";
import { knownRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
import { knownNpmRegistries, knownYarnRegistries, knownPipRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
import { ui } from "../environment/userInteraction.js";
import chalk from "chalk";
@ -108,10 +108,11 @@ function handleConnect(req, clientSocket, head) {
// CONNECT method is used for HTTPS requests
// It establishes a tunnel to the server identified by the request URL
if (knownRegistries.some((reg) => req.url.includes(reg))) {
// For npm and yarn registries, we want to intercept and inspect the traffic
// so we can block packages with malware
mitmConnect(req, clientSocket, isAllowedUrl);
console.log("**registryProxy.js** Handling CONNECT request for:", req.url);
if ((knownNpmRegistries.some((reg) => req.url.includes(reg)))
|| (knownYarnRegistries.some((reg) => req.url.includes(reg)))
|| (knownPipRegistries.some((reg) => req.url.includes(reg)))) {
mitmConnect(req, clientSocket, isAllowedUrl);
} else {
// For other hosts, just tunnel the request to the destination tcp socket
tunnelRequest(req, clientSocket, head);
@ -124,6 +125,7 @@ async function isAllowedUrl(url) {
// packageName and version are undefined when the URL is not a package download
// In that case, we can allow the request to proceed
if (!packageName || !version) {
console.log("**registryProxy.js** Non-package URL, allowing:", url);
return true;
}
@ -132,6 +134,7 @@ async function isAllowedUrl(url) {
]);
if (!auditResult.isAllowed) {
console.log("**registryProxy.js** Blocking malicious package:", { packageName, version, url });
state.blockedRequests.push({ packageName, version, url });
return false;
}