UNPKG

verdaccio-audit

Version:

Verdaccio Middleware plugin to bypass npmjs audit

verdaccio.org

169 lines (167 loc) 13.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
"use strict"; function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); } Object.defineProperty(exports, "__esModule", { value: true }); exports["default"] = exports.REGISTRY_DOMAIN = void 0; var _express = _interopRequireDefault(require("express")); var _httpsProxyAgent = _interopRequireDefault(require("https-proxy-agent")); var _nodeFetch = _interopRequireDefault(require("node-fetch")); var _nodeHttps = _interopRequireDefault(require("node:https")); var _core = require("@verdaccio/core"); function _interopRequireDefault(e) { return e && e.__esModule ? e : { "default": e }; } function _regenerator() { /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE */ var e, t, r = "function" == typeof Symbol ? Symbol : {}, n = r.iterator || "@@iterator", o = r.toStringTag || "@@toStringTag"; function i(r, n, o, i) { var c = n && n.prototype instanceof Generator ? n : Generator, u = Object.create(c.prototype); return _regeneratorDefine2(u, "_invoke", function (r, n, o) { var i, c, u, f = 0, p = o || [], y = !1, G = { p: 0, n: 0, v: e, a: d, f: d.bind(e, 4), d: function d(t, r) { return i = t, c = 0, u = e, G.n = r, a; } }; function d(r, n) { for (c = r, u = n, t = 0; !y && f && !o && t < p.length; t++) { var o, i = p[t], d = G.p, l = i[2]; r > 3 ? (o = l === n) && (u = i[(c = i[4]) ? 5 : (c = 3, 3)], i[4] = i[5] = e) : i[0] <= d && ((o = r < 2 && d < i[1]) ? (c = 0, G.v = n, G.n = i[1]) : d < l && (o = r < 3 || i[0] > n || n > l) && (i[4] = r, i[5] = n, G.n = l, c = 0)); } if (o || r > 1) return a; throw y = !0, n; } return function (o, p, l) { if (f > 1) throw TypeError("Generator is already running"); for (y && 1 === p && d(p, l), c = p, u = l; (t = c < 2 ? e : u) || !y;) { i || (c ? c < 3 ? (c > 1 && (G.n = -1), d(c, u)) : G.n = u : G.v = u); try { if (f = 2, i) { if (c || (o = "next"), t = i[o]) { if (!(t = t.call(i, u))) throw TypeError("iterator result is not an object"); if (!t.done) return t; u = t.value, c < 2 && (c = 0); } else 1 === c && (t = i["return"]) && t.call(i), c < 2 && (u = TypeError("The iterator does not provide a '" + o + "' method"), c = 1); i = e; } else if ((t = (y = G.n < 0) ? u : r.call(n, G)) !== a) break; } catch (t) { i = e, c = 1, u = t; } finally { f = 1; } } return { value: t, done: y }; }; }(r, o, i), !0), u; } var a = {}; function Generator() {} function GeneratorFunction() {} function GeneratorFunctionPrototype() {} t = Object.getPrototypeOf; var c = [][n] ? t(t([][n]())) : (_regeneratorDefine2(t = {}, n, function () { return this; }), t), u = GeneratorFunctionPrototype.prototype = Generator.prototype = Object.create(c); function f(e) { return Object.setPrototypeOf ? Object.setPrototypeOf(e, GeneratorFunctionPrototype) : (e.__proto__ = GeneratorFunctionPrototype, _regeneratorDefine2(e, o, "GeneratorFunction")), e.prototype = Object.create(u), e; } return GeneratorFunction.prototype = GeneratorFunctionPrototype, _regeneratorDefine2(u, "constructor", GeneratorFunctionPrototype), _regeneratorDefine2(GeneratorFunctionPrototype, "constructor", GeneratorFunction), GeneratorFunction.displayName = "GeneratorFunction", _regeneratorDefine2(GeneratorFunctionPrototype, o, "GeneratorFunction"), _regeneratorDefine2(u), _regeneratorDefine2(u, o, "Generator"), _regeneratorDefine2(u, n, function () { return this; }), _regeneratorDefine2(u, "toString", function () { return "[object Generator]"; }), (_regenerator = function _regenerator() { return { w: i, m: f }; })(); } function _regeneratorDefine2(e, r, n, t) { var i = Object.defineProperty; try { i({}, "", {}); } catch (e) { i = 0; } _regeneratorDefine2 = function _regeneratorDefine(e, r, n, t) { function o(r, n) { _regeneratorDefine2(e, r, function (e) { return this._invoke(r, n, e); }); } r ? i ? i(e, r, { value: n, enumerable: !t, configurable: !t, writable: !t }) : e[r] = n : (o("next", 0), o("throw", 1), o("return", 2)); }, _regeneratorDefine2(e, r, n, t); } function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; } function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; } function _defineProperty(e, r, t) { return (r = _toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; } function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); } function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; } function _classCallCheck(a, n) { if (!(a instanceof n)) throw new TypeError("Cannot call a class as a function"); } function _defineProperties(e, r) { for (var t = 0; t < r.length; t++) { var o = r[t]; o.enumerable = o.enumerable || !1, o.configurable = !0, "value" in o && (o.writable = !0), Object.defineProperty(e, _toPropertyKey(o.key), o); } } function _createClass(e, r, t) { return r && _defineProperties(e.prototype, r), t && _defineProperties(e, t), Object.defineProperty(e, "prototype", { writable: !1 }), e; } function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == _typeof(i) ? i : i + ""; } function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); } function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? Reflect.construct(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); } function _possibleConstructorReturn(t, e) { if (e && ("object" == _typeof(e) || "function" == typeof e)) return e; if (void 0 !== e) throw new TypeError("Derived constructors may only return object or undefined"); return _assertThisInitialized(t); } function _assertThisInitialized(e) { if (void 0 === e) throw new ReferenceError("this hasn't been initialised - super() hasn't been called"); return e; } function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function _isNativeReflectConstruct() { return !!t; })(); } function _getPrototypeOf(t) { return _getPrototypeOf = Object.setPrototypeOf ? Object.getPrototypeOf.bind() : function (t) { return t.__proto__ || Object.getPrototypeOf(t); }, _getPrototypeOf(t); } function _inherits(t, e) { if ("function" != typeof e && null !== e) throw new TypeError("Super expression must either be null or a function"); t.prototype = Object.create(e && e.prototype, { constructor: { value: t, writable: !0, configurable: !0 } }), Object.defineProperty(t, "prototype", { writable: !1 }), e && _setPrototypeOf(t, e); } function _setPrototypeOf(t, e) { return _setPrototypeOf = Object.setPrototypeOf ? Object.setPrototypeOf.bind() : function (t, e) { return t.__proto__ = e, t; }, _setPrototypeOf(t, e); } // FUTURE: we should be able to overwrite this var REGISTRY_DOMAIN = exports.REGISTRY_DOMAIN = 'https://registry.npmjs.org'; var ProxyAudit = exports["default"] = /*#__PURE__*/function (_ref) { function ProxyAudit(config, options) { var _config$timeout; var _this; _classCallCheck(this, ProxyAudit); _this = _callSuper(this, ProxyAudit, [config, options]); _this.enabled = config.enabled || false; _this.strict_ssl = config.strict_ssl !== undefined ? config.strict_ssl : true; _this.timeout = (_config$timeout = config.timeout) !== null && _config$timeout !== void 0 ? _config$timeout : 1000 * 60 * 1; _this.logger = options.logger; return _this; } _inherits(ProxyAudit, _ref); return _createClass(ProxyAudit, [{ key: "register_middlewares", value: function register_middlewares(app, auth) { var _this2 = this; var fetchAudit = /*#__PURE__*/function () { var _ref2 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee(req, res) { var _auth$config; var headers, requestOptions, _auth$config2, agent, auditEndpoint, controller, response, _t, _t2, _t3, _t4, _t5; return _regenerator().w(function (_context) { while (1) switch (_context.p = _context.n) { case 0: headers = req.headers; headers['host'] = 'registry.npmjs.org'; headers['content-encoding'] = 'gzip,deflate,br'; requestOptions = { agent: new _nodeHttps["default"].Agent({ rejectUnauthorized: _this2.strict_ssl }), body: JSON.stringify(req.body), headers: headers, method: req.method }; if (auth !== null && auth !== void 0 && (_auth$config = auth.config) !== null && _auth$config !== void 0 && _auth$config.https_proxy) { // we should check whether this works fine after this migration // please notify if anyone is having issues agent = (0, _httpsProxyAgent["default"])(auth === null || auth === void 0 || (_auth$config2 = auth.config) === null || _auth$config2 === void 0 ? void 0 : _auth$config2.https_proxy); requestOptions = Object.assign({}, requestOptions, { agent: agent }); } _context.p = 1; auditEndpoint = "".concat(REGISTRY_DOMAIN).concat(req.baseUrl).concat(req.route.path); _this2.logger.debug('fetching audit from ' + auditEndpoint); controller = new AbortController(); setTimeout(function () { return controller.abort("Fetch ".concat(auditEndpoint, " timeout ").concat(_this2.timeout, "ms")); }, _this2.timeout); _context.n = 2; return (0, _nodeFetch["default"])(auditEndpoint, _objectSpread(_objectSpread({}, requestOptions), {}, { signal: controller.signal })); case 2: response = _context.v; if (!response.ok) { _context.n = 4; break; } _t = res.status(response.status); _context.n = 3; return response.json(); case 3: _t.send.call(_t, _context.v); _context.n = 6; break; case 4: _t2 = _this2.logger; _t3 = JSON; _context.n = 5; return response.json(); case 5: _t4 = _t3.stringify.call(_t3, _context.v); _t2.warn.call(_t2, 'could not fetch audit: ' + _t4); res.status(response.status).end(); case 6: _context.n = 8; break; case 7: _context.p = 7; _t5 = _context.v; _this2.logger.warn('could not fetch audit: ' + _t5); res.status(500).end(); case 8: return _context.a(2); } }, _callee, null, [[1, 7]]); })); return function fetchAudit(_x, _x2) { return _ref2.apply(this, arguments); }; }(); var handleAudit = /*#__PURE__*/function () { var _ref3 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee2(req, res) { return _regenerator().w(function (_context2) { while (1) switch (_context2.n) { case 0: if (!_this2.enabled) { _context2.n = 2; break; } _context2.n = 1; return fetchAudit(req, res); case 1: _context2.n = 3; break; case 2: res.status(500).end(); case 3: return _context2.a(2); } }, _callee2); })); return function handleAudit(_x3, _x4) { return _ref3.apply(this, arguments); }; }(); /* eslint new-cap:off */ var router = _express["default"].Router(); router.post('/audits', _express["default"].json({ limit: '10mb' }), handleAudit); router.post('/audits/quick', _express["default"].json({ limit: '10mb' }), handleAudit); router.post('/advisories/bulk', _express["default"].json({ limit: '10mb' }), handleAudit); app.use('/-/npm/v1/security', router); } }]); }(_core.pluginUtils.Plugin); //# sourceMappingURL=audit.js.map