milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some more cleanup

Browse source
This commit is contained in:
Reinier Criel 2026-04-13 11:10:16 -07:00
parent d064d46668
commit 031c9683b1
23 changed files with 55 additions and 864 deletions
Download patch file Download diff file Expand all files Collapse all files

34
test/e2e/bun.e2e.spec.js
View file

@ -79,38 +79,4 @@ describe("E2E: bun coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("bash");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious bun packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("bash");
const result = await shell.runCommand("bunx safe-chain-test");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

42
test/e2e/npm-ci.e2e.spec.js
View file

@ -103,46 +103,4 @@ describe("E2E: npm coverage using PATH", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
// Persist SAFE_CHAIN_DIR and the custom shims dir in .zshrc so new shells
// inherit both (shims need SAFE_CHAIN_DIR to strip themselves from PATH)
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious npm packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("npm i safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

34
test/e2e/npm.e2e.spec.js
View file

@ -120,38 +120,4 @@ describe("E2E: npm coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious npm packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("npm i safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

39
test/e2e/pip-ci.e2e.spec.js
View file

@ -205,43 +205,4 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
});
}
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand("pip3 cache purge");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("intercepts pip3 install when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Expected pip3 to be protected with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
});
});

35
test/e2e/pip.e2e.spec.js
View file

@ -845,39 +845,4 @@ describe("E2E: pip coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("pip3 cache purge");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("intercepts pip3 install when scripts are in a custom directory", async () => {
// New shell sources ~/.zshrc → sources init-posix.sh from custom dir
// → defines pip3() shell function that routes through safe-chain
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Expected pip3 to be protected with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
});
});

34
test/e2e/pipx.e2e.spec.js
View file

@ -198,38 +198,4 @@ describe("E2E: pipx coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pipx packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pipx install safe-chain-pi-test");
assert.ok(
result.output.includes("blocked by safe-chain"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

40
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -123,44 +123,4 @@ describe("E2E: pnpm coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pnpm packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pnpm add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

34
test/e2e/pnpm.e2e.spec.js
View file

@ -140,38 +140,4 @@ describe("E2E: pnpm coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pnpm packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pnpm add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

41
test/e2e/poetry.e2e.spec.js
View file

@ -423,45 +423,4 @@ describe("E2E: poetry coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("command poetry cache clear pypi --all -n");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious poetry packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
await shell.runCommand("mkdir /tmp/test-poetry-custom-dir");
await shell.runCommand(
"cd /tmp/test-poetry-custom-dir && poetry init --no-interaction"
);
const result = await shell.runCommand(
"cd /tmp/test-poetry-custom-dir && poetry add safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked by safe-chain"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

166
test/e2e/safe-chain-dir.e2e.spec.js
View file

@ -1,166 +0,0 @@
import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";
const CUSTOM_DIR = "/usr/local/.safe-chain";
describe("E2E: SAFE_CHAIN_DIR support", () => {
let container;
before(async () => {
DockerTestContainer.buildImage();
});
beforeEach(async () => {
container = new DockerTestContainer();
await container.start();
});
afterEach(async () => {
if (container) {
await container.stop();
container = null;
}
});
it("setup-ci installs shims in the custom directory when SAFE_CHAIN_DIR is set", async () => {
const shell = await container.openShell("bash");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup-ci");
// Shims should be in the custom dir
const customShimResult = await shell.runCommand(
`test -f ${CUSTOM_DIR}/shims/npm && echo "EXISTS"`
);
assert.ok(
customShimResult.output.includes("EXISTS"),
`Expected npm shim at ${CUSTOM_DIR}/shims/npm. Output:\n${customShimResult.output}`
);
// Default location should NOT have been created
const defaultShimResult = await shell.runCommand(
`test -d $HOME/.safe-chain/shims && echo "EXISTS" || echo "ABSENT"`
);
assert.ok(
defaultShimResult.output.includes("ABSENT"),
`Expected default shims dir to be absent. Output:\n${defaultShimResult.output}`
);
});
it("setup-ci writes the custom directory path to GITHUB_PATH when SAFE_CHAIN_DIR is set", async () => {
const shell = await container.openShell("bash");
await shell.runCommand("export GITHUB_PATH=/tmp/github_path");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup-ci");
const result = await shell.runCommand("cat /tmp/github_path");
assert.ok(
result.output.includes(`${CUSTOM_DIR}/shims`),
`Expected GITHUB_PATH to contain custom shims dir. Output:\n${result.output}`
);
assert.ok(
result.output.includes(`${CUSTOM_DIR}/bin`),
`Expected GITHUB_PATH to contain custom bin dir. Output:\n${result.output}`
);
});
it("setup writes the custom path to ~/.bashrc when SAFE_CHAIN_DIR is set", async () => {
const shell = await container.openShell("bash");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup");
const result = await shell.runCommand("cat ~/.bashrc");
assert.ok(
result.output.includes(`source ${CUSTOM_DIR}/scripts/init-posix.sh`),
`Expected ~/.bashrc to contain custom scripts path. Output:\n${result.output}`
);
assert.ok(
!result.output.includes("source ~/.safe-chain/scripts/init-posix.sh"),
`Expected ~/.bashrc to NOT contain default path. Output:\n${result.output}`
);
});
it("setup with SAFE_CHAIN_DIR still protects npm in a new shell session", async () => {
// Run setup with the custom dir
const setupShell = await container.openShell("bash");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
// Open a fresh shell — it will source ~/.bashrc which sources init-posix.sh
// from the custom dir, defining the npm wrapper function
const projectShell = await container.openShell("bash");
await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand(
"npm i axios@1.13.0 --safe-chain-logging=verbose"
);
// "Safe-chain: Package" appears before npm downloads — confirms interception happened
assert.ok(
result.output.includes("Safe-chain: Package"),
`Expected npm to be protected after setup with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
it("teardown removes the custom SAFE_CHAIN_DIR source line from ~/.bashrc", async () => {
const shell = await container.openShell("bash");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup");
await shell.runCommand("safe-chain teardown");
const result = await shell.runCommand("cat ~/.bashrc");
assert.ok(
!result.output.includes(`source ${CUSTOM_DIR}/scripts/init-posix.sh`),
`Expected custom source line to be removed from ~/.bashrc. Output:\n${result.output}`
);
});
it("safe-chain protects a non-root user when installed to a shared dir with SAFE_CHAIN_DIR", async () => {
// Step 1: create a non-root user inside the container
container.dockerExec("useradd -m safeuser");
// Step 2: as root, run setup-ci with the shared SAFE_CHAIN_DIR
const rootShell = await container.openShell("bash");
await rootShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await rootShell.runCommand("safe-chain setup-ci");
// Step 3: simulate what install-safe-chain.sh does — place the safe-chain binary
// in SAFE_CHAIN_DIR/bin. In Docker tests safe-chain is installed via npm/Volta,
// so we symlink it there.
container.dockerExec(`mkdir -p ${CUSTOM_DIR}/bin`);
container.dockerExec(
`ln -sf \\$(which safe-chain) ${CUSTOM_DIR}/bin/safe-chain`
);
// Step 4: make npm accessible to all users (in real Dockerfiles npm is installed
// before the user switch; here Volta manages it for root, so we symlink it).
container.dockerExec("ln -sf \\$(which npm) /usr/local/bin/npm");
// Step 5: make the shared safe-chain dir readable + executable by all users
container.dockerExec(`chmod -R a+rx ${CUSTOM_DIR}`);
// Step 6: Volta installs under /root/.volta which is only accessible to root by
// default. /root/ itself is mode 700, so safeuser can't traverse into it even
// if .volta/ is world-readable. Fix both levels. Safe in a throw-away container.
container.dockerExec("chmod a+x /root && chmod -R a+rX /root/.volta");
// Step 7: as the non-root user, set SAFE_CHAIN_DIR and PATH, then run npm.
// SAFE_CHAIN_DIR must be set so the shim knows which dir to strip from PATH
// when invoking the real npm (prevents infinite loop).
const userShell = await container.openShell("bash", { user: "safeuser" });
await userShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
// Reuse root's Volta dir so safeuser doesn't trigger a slow first-run setup
await userShell.runCommand("export VOLTA_HOME=/root/.volta");
await userShell.runCommand(
`export PATH="${CUSTOM_DIR}/shims:${CUSTOM_DIR}/bin:$PATH"`
);
const result = await userShell.runCommand(
"npm i axios@1.13.0 --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("Safe-chain: Scanned"),
`Expected safe-chain to protect non-root user. Output:\n${result.output}`
);
});
});

38
test/e2e/uv.e2e.spec.js
View file

@ -570,42 +570,4 @@ describe("E2E: uv coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("uv cache clean");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious uv packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
await shell.runCommand("uv init test-project-custom-dir");
const result = await shell.runCommand(
"cd test-project-custom-dir && uv add safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

40
test/e2e/yarn-ci.e2e.spec.js
View file

@ -85,44 +85,4 @@ describe("E2E: yarn coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious yarn packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("yarn add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

38
test/e2e/yarn.e2e.spec.js
View file

@ -126,42 +126,4 @@ describe("E2E: yarn coverage", () => {
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
// Run setup with the custom dir — init-posix.sh is copied to the custom
// scripts dir, and ~/.zshrc gets a source line pointing there
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious yarn packages when scripts are in a custom directory", async () => {
// New shell sources ~/.zshrc → sources init-posix.sh from custom dir
// → defines yarn() shell function that routes through safe-chain
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("yarn add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});