fix(core): check nx packages for provenance config before running nx migrate (#32557)

(cherry picked from commit 1ff26dd)

Author: MaxKless

packages/devkit/src/utils/package-json.ts

@@ -503,16 +503,22 @@ export function ensurePackage<T extends any = any>(
       windowsHide: false,
     });
   }
-  let addCommand = getPackageManagerCommand(packageManager).addDev;
+  const pmCommands = getPackageManagerCommand(packageManager);
+  let addCommand = pmCommands.addDev;
   if (packageManager === 'pnpm') {
     addCommand = 'pnpm add -D'; // we need to ensure that we are not using workspace command
   }
 
-  execSync(`${addCommand} ${pkg}@${requiredVersion}`, {
-    cwd: tempDir,
-    stdio: isVerbose ? 'inherit' : 'ignore',
-    windowsHide: false,
-  });
+  execSync(
+    `${addCommand} ${pkg}@${requiredVersion} ${
+      pmCommands.ignoreScriptsFlag ?? ''
+    }`,
+    {
+      cwd: tempDir,
+      stdio: isVerbose ? 'inherit' : 'ignore',
+      windowsHide: false,
+    }
+  );
 
   addToNodePath(join(workspaceRoot, 'node_modules'));
   addToNodePath(join(tempDir, 'node_modules'));

packages/nuxt/src/plugins/__snapshots__/plugin.spec.ts.snap

@@ -1,4 +1,4 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
 
 exports[`@nx/nuxt/plugin not root project should create nodes 1`] = `
 {

packages/nx/src/command-line/migrate/command-object.ts

@@ -10,7 +10,7 @@ export const yargsMigrateCommand: CommandModule = {
   builder: (yargs) =>
     linkToNxDevAndExamples(withMigrationOptions(yargs), 'migrate'),
   handler: async () => {
-    (await import('./migrate')).runMigration();
+    await (await import('./migrate')).runMigration();
     process.exit(0);
   },
 };

packages/nx/src/command-line/migrate/migrate.ts

@@ -79,6 +79,10 @@ import {
   readProjectsConfigurationFromProjectGraph,
 } from '../../project-graph/project-graph';
 import { formatFilesWithPrettierIfAvailable } from '../../generators/internal-utils/format-changed-files-with-prettier-if-available';
+import {
+  ensurePackageHasProvenance,
+  getNxPackageGroup,
+} from '../../utils/provenance';
 
 export interface ResolvedMigrationConfiguration extends MigrationsJson {
   packageGroup?: ArrayPackageGroup;
@@ -990,6 +994,9 @@ async function getPackageMigrationsUsingRegistry(
   packageName: string,
   packageVersion: string
 ): Promise<ResolvedMigrationConfiguration> {
+  if (getNxPackageGroup().includes(packageName)) {
+    await ensurePackageHasProvenance(packageName, packageVersion);
+  }
   // check if there are migrations in the packages by looking at the
   // registry directly
   const migrationsConfig = await getPackageMigrationsConfigFromRegistry(
@@ -1103,6 +1110,10 @@ async function getPackageMigrationsUsingInstall(
 
   let result: ResolvedMigrationConfiguration;
 
+  if (getNxPackageGroup().includes(packageName)) {
+    await ensurePackageHasProvenance(packageName, packageVersion);
+  }
+
   try {
     const pmc = getPackageManagerCommand(detectPackageManager(dir), dir);
 
@@ -1464,10 +1475,13 @@ function runInstall(nxWorkspaceRoot?: string) {
   if (packageManager ?? detectPackageManager() === 'npm') {
     process.env.npm_config_legacy_peer_deps ??= 'true';
   }
+  const installCommand = `${pmCommands.install} ${
+    pmCommands.ignoreScriptsFlag ?? ''
+  }`;
   output.log({
-    title: `Running '${pmCommands.install}' to make sure necessary packages are installed`,
+    title: `Running '${installCommand}' to make sure necessary packages are installed`,
   });
-  execSync(pmCommands.install, {
+  execSync(installCommand, {
     stdio: [0, 1, 2],
     windowsHide: false,
     cwd: nxWorkspaceRoot ?? process.cwd(),
@@ -1792,14 +1806,14 @@ export async function migrate(
   });
 }
 
-export function runMigration() {
+export async function runMigration() {
   const runLocalMigrate = () => {
     runNxSync(`_migrate ${process.argv.slice(3).join(' ')}`, {
       stdio: ['inherit', 'inherit', 'inherit'],
     });
   };
   if (process.env.NX_MIGRATE_USE_LOCAL === undefined) {
-    const p = nxCliPath();
+    const p = await nxCliPath();
     if (p === null) {
       runLocalMigrate();
     } else {
@@ -1867,10 +1881,12 @@ export function getImplementationPath(
   return { path: implPath, fnSymbol };
 }
 
-export function nxCliPath(nxWorkspaceRoot?: string) {
+export async function nxCliPath(nxWorkspaceRoot?: string) {
   const version = process.env.NX_MIGRATE_CLI_VERSION || 'latest';
   const isVerbose = process.env.NX_VERBOSE_LOGGING === 'true';
 
+  await ensurePackageHasProvenance('nx', version);
+
   try {
     const packageManager = detectPackageManager();
     const pmc = getPackageManagerCommand(packageManager);
@@ -1913,7 +1929,7 @@ export function nxCliPath(nxWorkspaceRoot?: string) {
       }
     }
 
-    execSync(pmc.install, {
+    execSync(`${pmc.install} ${pmc.ignoreScriptsFlag ?? ''}`, {
       cwd: tmpDir,
       stdio,
       windowsHide: false,

packages/nx/src/utils/package-manager.ts

@@ -51,6 +51,8 @@ export interface PackageManagerCommands {
     registryConfigKey: string,
     tag: string
   ) => string;
+  // yarn berry doesn't support ignoring scripts via flag
+  ignoreScriptsFlag?: string;
 }
 
 /**
@@ -128,6 +130,7 @@ export function getPackageManagerCommand(
         useBerry = true;
       }
 
+      // new versions of yarn only support ignoring scripts via .yarnrc.yml
       return {
         preInstall: `yarn set version ${yarnVersion}`,
         install: 'yarn',
@@ -141,7 +144,7 @@ export function getPackageManagerCommand(
         addDev: useBerry ? 'yarn add -D' : 'yarn add -D -W',
         rm: 'yarn remove',
         exec: 'yarn',
-        dlx: useBerry ? 'yarn dlx' : 'yarn',
+        dlx: useBerry ? 'yarn dlx' : 'npx',
         run: (script: string, args?: string) =>
           `yarn ${script}${args ? ` ${args}` : ''}`,
         list: useBerry ? 'yarn info --name-only' : 'yarn list',
@@ -150,6 +153,7 @@ export function getPackageManagerCommand(
           : 'yarn config get registry',
         publish: (packageRoot, registry, registryConfigKey, tag) =>
           `npm publish "${packageRoot}" --json --"${registryConfigKey}=${registry}" --tag=${tag}`,
+        ignoreScriptsFlag: useBerry ? undefined : `--ignore-scripts`,
       };
     },
     pnpm: () => {
@@ -196,6 +200,7 @@ export function getPackageManagerCommand(
           `pnpm publish "${packageRoot}" --json --"${
             allowRegistryConfigKey ? registryConfigKey : 'registry'
           }=${registry}" --tag=${tag} --no-git-checks`,
+        ignoreScriptsFlag: '--ignore-scripts',
       };
     },
     npm: () => {
@@ -217,6 +222,7 @@ export function getPackageManagerCommand(
         getRegistryUrl: 'npm config get registry',
         publish: (packageRoot, registry, registryConfigKey, tag) =>
           `npm publish "${packageRoot}" --json --"${registryConfigKey}=${registry}" --tag=${tag}`,
+        ignoreScriptsFlag: '--ignore-scripts',
       };
     },
     bun: () => {
@@ -235,6 +241,7 @@ export function getPackageManagerCommand(
         // Unlike npm, bun publish does not support a custom registryConfigKey option
         publish: (packageRoot, registry, registryConfigKey, tag) =>
           `bun publish --cwd="${packageRoot}" --json --registry="${registry}" --tag=${tag}`,
+        ignoreScriptsFlag: '--ignore-scripts',
       };
     },
   };

packages/nx/src/utils/provenance.ts

@@ -0,0 +1,189 @@
+import { execFile } from 'child_process';
+import { join } from 'path';
+import { promisify } from 'util';
+import { readJsonFile } from './fileutils';
+
+/*
+ * Verifies that the given npm package has provenance attestations
+ * generated by the GitHub Actions workflow at .github/workflows/publish.yml
+ * in the nrwl/nx repository.
+ *
+ * Will throw if the package does not have valid provenance.
+ */
+export async function ensurePackageHasProvenance(
+  packageName: string,
+  packageVersion: string
+): Promise<void> {
+  // this is used for locally released versions without provenance
+  // do not set this for other reasons or you might be exposed to security risks
+  if (process.env.NX_SKIP_PROVENANCE_CHECK) {
+    return;
+  }
+
+  const execFileAsync = promisify(execFile);
+
+  const npmViewResult = JSON.parse(
+    (
+      await execFileAsync(
+        'npm',
+        ['view', `${packageName}@${packageVersion}`, '--json', '--silent'],
+        {
+          timeout: 20000,
+        }
+      )
+    ).stdout.trim()
+  );
+
+  const attURL = npmViewResult.dist?.attestations?.url;
+
+  if (!attURL)
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      'No attestation URL found'
+    );
+
+  const attestations = (await (await fetch(attURL)).json()) as {
+    attestations: Attestation[];
+  };
+
+  const provenanceAttestation = attestations?.attestations?.find(
+    (a) => a.predicateType === 'https://slsa.dev/provenance/v1'
+  );
+  if (!provenanceAttestation)
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      'No provenance attestation found'
+    );
+
+  const dsseEnvelopePayload = JSON.parse(
+    Buffer.from(
+      provenanceAttestation.bundle.dsseEnvelope.payload,
+      'base64'
+    ).toString()
+  );
+
+  const workflowParameters =
+    dsseEnvelopePayload?.predicate?.buildDefinition?.externalParameters
+      ?.workflow;
+
+  // verify that provenance was actually generated from the right publishing workflow
+  if (workflowParameters?.repository !== 'https://github.com/nrwl/nx') {
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      'Repository does not match nrwl/nx'
+    );
+  }
+  if (workflowParameters?.path !== '.github/workflows/publish.yml') {
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      'Publishing workflow does not match .github/workflows/publish.yml'
+    );
+  }
+  if (workflowParameters?.ref !== `refs/tags/${npmViewResult.version}`) {
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      `Version ref does not match refs/tags/${npmViewResult.version}`
+    );
+  }
+
+  // verify that provenance was generated from the exact same artifact as the one we are installing
+  const distSha = Buffer.from(
+    npmViewResult.dist.integrity.replace('sha512-', ''),
+    'base64'
+  ).toString('hex');
+  const attestationSha = dsseEnvelopePayload?.subject[0]?.digest.sha512;
+  if (distSha !== attestationSha) {
+    throw noProvenanceError(
+      packageName,
+      packageVersion,
+      'Integrity hash does not match attestation hash'
+    );
+  }
+  return;
+}
+
+export const noProvenanceError = (
+  packageName: string,
+  packageVersion: string,
+  error?: string
+) =>
+  `An error occurred while checking the provenance of ${packageName}@${packageVersion}. This could indicate a security risk. Please double check https://www.npmjs.com/package/${packageName} to see if the package is published correctly or file an issue at https://github.com/nrwl/nx/issues \n Error: ${
+    error ?? ''
+  }`;
+
+export function getNxPackageGroup(): string[] {
+  const packageJsonPath = join(__dirname, '../../package.json');
+  const packageJson = readJsonFile(packageJsonPath);
+  const packages = packageJson['nx-migrations'].packageGroup.filter(
+    (dep) => typeof dep === 'string' && dep.startsWith('@nx/')
+  );
+  packages.push('nx');
+  return packages;
+}
+
+type Attestation = {
+  predicateType: string;
+  bundle: {
+    dsseEnvelope: {
+      payload: string; // base64 encoded JSON
+      payloadType: string;
+      signatures: {
+        keyid: string;
+        sig: string;
+      }[];
+    };
+    mediaType: string;
+    [x: string]: unknown;
+  };
+  [x: string]: unknown;
+};
+
+// referh to https://slsa.dev/spec/v1.1/provenance#schema
+export type DecodedAttestationPayload = {
+  _type: 'https://in-toto.io/Statement/v1';
+  subject: unknown[];
+  predicateType: 'https://slsa.dev/provenance/v1';
+  predicate: {
+    buildDefinition: {
+      buildType: string;
+      externalParameters: Record<string, any>;
+      internalParameters?: Record<string, any>;
+      resolvedDependencies?: ResourceDescriptor[];
+    };
+    runDetails: {
+      builder: {
+        id: string;
+        builderDependencies?: ResourceDescriptor[];
+        version?: Record<string, string>;
+      };
+      metadata?: {
+        invocationId?: string;
+        startedOn?: string; // <YYYY>-<MM>-<DD>T<hh>:<mm>:<ss>Z
+        finishedOn?: string; // <YYYY>-<MM>-<DD>T<hh>:<mm>:<ss>Z
+      };
+      byproducts?: ResourceDescriptor[];
+    };
+  };
+};
+
+export interface ResourceDescriptor {
+  uri?: string;
+  digest?: {
+    sha256?: string;
+    sha512?: string;
+    gitCommit?: string;
+    [key: string]: string | undefined;
+  };
+  name?: string;
+  downloadLocation?: string;
+  mediaType?: string;
+  content?: string;
+  annotations?: {
+    [key: string]: any;
+  };
+}

packages/react/src/plugins/__snapshots__/router-plugin.spec.ts.snap

@@ -1,4 +1,4 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
 
 exports[`@nx/react/react-router-plugin React Router should create nodes by default 1`] = `
 [

packages/remix/src/plugins/__snapshots__/plugin.spec.ts.snap

@@ -1,4 +1,4 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
 
 exports[`@nx/remix/plugin Remix Classic Compiler non-root project should create nodes 1`] = `
 [