milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
AikidoSec-safe-chain/packages/safe-chain/src/registryProxy/interceptors/npm/modifyNpmInfo.js
Sander Declerck dc6f37b3ec
Remove etag from response when modifying headers
2025-11-13 16:27:42 +01:00

154 lines
4.4 KiB
JavaScript
Raw Blame History

import { getMinimumPackageAgeHours } from "../../../config/settings.js";
import { ui } from "../../../environment/userInteraction.js";
/**
* @param {NodeJS.Dict<string | string[]>} headers
*/
export function modifyNpmInfoRequestHeaders(headers) {
if (headers["accept"]?.includes("application/vnd.npm.install-v1+json")) {
// The npm registry sometimes serves a more compact format that lacks
// the time metadata we need to filter out too new packages.
// Force the registry to return the full metadata by changing the Accept header.
headers["accept"] = "application/json";
}
}
/**
* @param {string} url
* @returns {boolean}
*/
export function isPackageInfoUrl(url) {
// Remove query string and fragment to get the actual path
const urlWithoutParams = url.split("?")[0].split("#")[0];
// Tarball downloads end with .tgz
if (urlWithoutParams.endsWith(".tgz")) return false;
// Special endpoints start with /-/ and should not be modified
// Examples: /-/npm/v1/security/advisories/bulk, /-/v1/search, /-/package/foo/access
if (urlWithoutParams.includes("/-/")) return false;
// Everything else is package metadata that can be modified
return true;
}
/**
*
* @param {Buffer} body
* @param {NodeJS.Dict<string | string[]> | undefined} headers
* @returns Buffer
*/
export function modifyNpmInfoResponse(body, headers) {
try {
if (body.byteLength === 0) {
return body;
}
const bodyContent = body.toString("utf8");
const bodyJson = JSON.parse(bodyContent);
if (!bodyJson.time || !bodyJson["dist-tags"] || !bodyJson.versions) {
// Just return the current body if the format is not
return body;
}
const cutOff = new Date(
new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
).toISOString();
const hasLatestTag = !!bodyJson["dist-tags"]["latest"];
const versions = Object.entries(bodyJson.time)
.map(([version, timestamp]) => ({
version,
timestamp,
}))
.filter((x) => x.version !== "created" && x.version !== "modified");
for (const { version, timestamp } of versions) {
if (version === "created" || version === "modified") {
continue;
}
if (timestamp > cutOff) {
deleteVersionFromJson(bodyJson, version);
if (headers) {
// When modifying the response, the etag no longer matches the content
// so the etag needs to be removed before sending the response.
delete headers["etag"];
}
continue;
}
}
if (hasLatestTag && !bodyJson["dist-tags"]["latest"]) {
// The latest tag was removed because it contained a package younger than the treshold.
// A new latest tag needs to be calculated
bodyJson["dist-tags"]["latest"] = calculateLatestTag(bodyJson.time);
}
return Buffer.from(JSON.stringify(bodyJson));
} catch (/** @type {any} */ err) {
ui.writeVerbose(
`Safe-chain: Package metadata not in expected format - bypassing modification. Error: ${err.message}`
);
return body;
}
}
/**
* @param {any} json
* @param {string} version
*/
function deleteVersionFromJson(json, version) {
ui.writeVerbose(
`Safe-chain: ${version} is newer than ${getMinimumPackageAgeHours()} hours and was removed (minimumPackageAgeInHours setting).`
);
delete json.time[version];
delete json.versions[version];
for (const [tag, distVersion] of Object.entries(json["dist-tags"])) {
if (version == distVersion) {
delete json["dist-tags"][tag];
}
}
}
/**
* @param {Record<string, string>} tagList
* @returns {string | undefined}
*/
function calculateLatestTag(tagList) {
const entries = Object.entries(tagList).filter(
([version, _]) => version !== "created" && version !== "modified"
);
const latestFullRelease = getMostRecentTag(
Object.fromEntries(entries.filter(([version, _]) => !version.includes("-")))
);
if (latestFullRelease) {
return latestFullRelease;
}
const latestPrerelease = getMostRecentTag(
Object.fromEntries(entries.filter(([version, _]) => version.includes("-")))
);
return latestPrerelease;
}
/**
* @param {Record<string, string>} tagList
* @returns {string | undefined}
*/
function getMostRecentTag(tagList) {
let current, currentDate;
for (const [version, timestamp] of Object.entries(tagList)) {
if (!currentDate || currentDate < timestamp) {
current = version;
currentDate = timestamp;
}
}
return current;
}
Reference in a new issue View git blame Copy permalink