milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
1203 commits 61 branches 106 tags 3.3 MiB
Commit graph

172 commits

Author SHA1 Message Date
Xander Van Raemdonck
19d2dee5c9
Bind registry proxy to loopback only 
Without an explicit host, `server.listen(0)` binds to every interface,
turning safe-chain's unauthenticated forward proxy into an open relay
while `aikido-*` commands are running. Anyone reachable on the network
can use it to hit the victim's localhost, intranet, or cloud metadata
endpoints. The advertised HTTPS_PROXY URL already used `localhost`
(loopback), but the listener itself was wide open.

Bind to 127.0.0.1 explicitly and update the advertised URL to match.
Add a regression test that verifies the listener refuses connections
on non-loopback interfaces.
 2026-04-30 20:37:41 +02:00
Reinier Criel
33c3bec43d Fix PyPI minimum-age fallback when cached metadata bypasses rewrite 2026-04-17 09:37:40 -07:00
Reinier Criel
6ff2ee3367 Adapt per review 2026-04-14 11:30:29 -07:00
Reinier Criel
d064d46668 Cleanup 2026-04-13 11:01:45 -07:00
Reinier Criel
32c95dbb9d Fix WIndows shell + unit tests 2026-04-10 14:27:55 -07:00
Reinier Criel
1a2805ba56 Adapt per review 2026-04-02 13:00:01 -07:00
Reinier Criel
0aabba668e Adapt per review 2026-04-02 08:56:20 -07:00
Reinier Criel
06ef0c3990 Adapt per review 2026-04-01 20:08:56 -07:00
Reinier Criel
c696386825 Some more cleanup 2026-04-01 15:38:42 -07:00
Reinier Criel
2b1247cf36 Code Quality 2026-04-01 15:23:25 -07:00
Reinier Criel
27e77d9b0b Fix regex 2026-04-01 15:19:39 -07:00
Reinier Criel
1a811edc95 More cleanup 2026-04-01 14:57:24 -07:00
Reinier Criel
4564b7f607 Initial 2026-04-01 14:32:36 -07:00
Reinier Criel
2ba6aaa46e Adapt per review 2026-03-30 07:58:14 -07:00
Reinier Criel
d84270be8d Adapt per review 2026-03-28 16:51:33 -07:00
Reinier Criel
aa7bbbd4e9 Code Quality 2026-03-28 11:39:02 -07:00
Reinier Criel
fd6fb456b4 Add minimum package age check for pypi 2026-03-28 10:15:13 -07:00
bitterpanda
5b1cd7e8da Split up newPackagesDatabse into builder, warnigns, cache 2026-03-27 15:52:07 -07:00
Reinier Criel
3a01a92f03 Code Quality 2026-03-27 15:14:13 -07:00
Reinier Criel
8133f0c970 Some more cleanup 2026-03-27 14:38:41 -07:00
Reinier Criel
8a4f759a78 Some cleanup 2026-03-27 14:25:58 -07:00
Reinier Criel
2df8ce463c Adapt per review 2026-03-27 13:17:58 -07:00
Reinier Criel
a53fc736e9 Fix yarn URL issue 2026-03-27 11:45:26 -07:00
Reinier Criel
db31fa9f41 Fix unit test 2026-03-27 10:37:47 -07:00
Reinier Criel
edf6a1694f Some cleanups 2026-03-27 10:35:41 -07:00
Reinier Criel
07e315a382 Adapt doc 2026-03-19 16:07:31 -07:00
Reinier Criel
2f4268f1af Add extra check 2026-03-19 15:58:42 -07:00
Sander Declerck
d9e6b89918
Undo dot in comment 2026-03-19 15:42:09 +01:00
Sander Declerck
47377711b8
Write log when certbundle could not be deleted 2026-03-19 11:11:34 +01:00
Sander Declerck
527e3cd70a
Cleanup generated cert bundles 2026-03-19 11:08:38 +01:00
Sander Declerck
c02d0785fa
Fix tests for mitm registryproxy 2026-01-22 11:58:52 +01:00
Sander Declerck
6c814ff82f
Only allow wildcards for scoped packages (@scope/*) 2026-01-15 15:13:00 +01:00
Sander Declerck
884cb6e026
Allow trailing * for wildcard matching 2026-01-14 17:51:41 +01:00
Sander Declerck
6815b62019
Allow to exclude packages from the minimum package age 2026-01-14 17:41:23 +01:00
bitterpanda
c38f1bcb3e
Update packages/safe-chain/src/registryProxy/interceptors/npm/modifyNpmInfo.js 2026-01-13 19:33:00 +01:00
Reinier Criel
f678ff8dd1 Include package name in logging when minimum package age is not met 2026-01-13 10:09:59 -08:00
Sander Declerck
8bfbe1c77d
Merge pull request #232 from galargh/pip-custom-registries 
feat: allow python custom registries configuration
 2026-01-05 14:01:51 +01:00
galargh
39e2001d97 Merge remote-tracking branch 'origin/main' into pip-custom-registries 2025-12-22 13:27:04 +01:00
jassanw
3b6beb7f16 default to port 443 if port is null or empty 2025-12-19 18:49:58 -08:00
cherryace
bd19f477f7 Using port from req url when creating proxy request instead of hardcoded port 443 2025-12-19 17:57:33 -08:00
Sander Declerck
53c59e35e9
Merge pull request #258 from thomasbecker/fix/connection-timeout-issue-228 
fix: use true connection timeout instead of idle timeout
 2025-12-19 11:05:53 +01:00
Sander Declerck
e3aa2e15cb
Add npmjs.com to known registries too. 2025-12-18 17:59:15 +01:00
Sander Declerck
41cc24d1f5
Allow to configure custom/prinvate npm registries 2025-12-18 13:52:49 +01:00
Thomas Becker
878e549211 fix: use true connection timeout instead of idle timeout 
socket.setTimeout() is an idle timeout in Node.js (node docs)[https://nodejs.org/api/net.html#socketsettimeouttimeout-callback]
- it fires after N ms of inactivity, not N ms after the connection attempt. This
caused false timeout errors after successful data transfers when connections
went idle for longer than the timeout period.

Replace with JS setTimeout() that:
- Fires N ms after connection attempt starts
- Gets cleared on successful connect
- Return 504 Gateway Timeout (more accurate than 502)

Also adds proper close event handlers for socket cleanup.

Fixes #228
 2025-12-18 12:53:49 +01:00
galargh
833fa285aa feat: allow python custom registries configuration 2025-12-10 13:27:18 +01:00
Reinier Criel
0b28cb8fdb Merge branch 'main' into feature/combine-certs 2025-12-09 14:31:05 -08:00
Sander Declerck
40650e7912
Add tests for: not shortcircuiting timeout on imds endpoint. 2025-12-09 15:46:37 +01:00
Sander Declerck
afc68618c6
Only timeout for imds endpoints 2025-12-09 15:25:19 +01:00
Reinier Criel
5d1807a551 Remove unnecessary change 2025-12-08 17:30:55 -08:00
Reinier Criel
b84b410fd8 Fix linting issues 2025-12-08 15:36:37 -08:00