milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feature/combine-certs

Browse source
This commit is contained in:
Reinier Criel 2025-12-08 09:42:10 -08:00
commit 091e6ec5f8
18 changed files with 305 additions and 221 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.github/workflows/test-on-pr.yml vendored
View file

@ -6,7 +6,12 @@ jobs:
unit-test: unit-test:
name: Run unit tests and linting name: Run unit tests and linting
runs-on: ubuntu-latest runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps: steps:
- name: Checkout code - name: Checkout code
@ -23,7 +28,7 @@ jobs:
safe-chain setup-ci safe-chain setup-ci
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm ci --ignore-scripts
- name: Run unit tests - name: Run unit tests
run: npm test run: npm test
@ -35,10 +40,12 @@ jobs:
run: npm run typecheck --workspace=packages/safe-chain run: npm run typecheck --workspace=packages/safe-chain
- name: Create package tarball - name: Create package tarball
if: matrix.os == 'ubuntu-latest'
run: npm pack --workspace=packages/safe-chain run: npm pack --workspace=packages/safe-chain
- name: Upload package tarball - name: Upload package tarball
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
if: matrix.os == 'ubuntu-latest'
with: with:
name: safe-chain-package name: safe-chain-package
path: aikidosec-safe-chain-*.tgz path: aikidosec-safe-chain-*.tgz

3
packages/safe-chain/src/main.js
View file

@ -64,8 +64,7 @@ export async function main(args) {
const auditStats = getAuditStats(); const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) { if (auditStats.totalPackages > 0) {
ui.emptyLine(); ui.writeVerbose(
ui.writeInformation(
`${chalk.green("✔")} Safe-chain: Scanned ${ `${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.totalPackages auditStats.totalPackages
} packages, no malware found.` } packages, no malware found.`

6
packages/safe-chain/src/registryProxy/interceptors/interceptorBuilder.js
View file

@ -20,6 +20,12 @@ import { EventEmitter } from "events";
* @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders * @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders
* @property {() => boolean} modifiesResponse * @property {() => boolean} modifiesResponse
* @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody * @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody
*
* @typedef {Object} MalwareBlockedEvent
* @property {string} packageName
* @property {string} version
* @property {string} targetUrl
* @property {number} timestamp
*/ */
/** /**

11
packages/safe-chain/src/registryProxy/registryProxy.js
View file

@ -140,9 +140,14 @@ function handleConnect(req, clientSocket, head) {
if (interceptor) { if (interceptor) {
// Subscribe to malware blocked events // Subscribe to malware blocked events
interceptor.on("malwareBlocked", (event) => { interceptor.on(
onMalwareBlocked(event.packageName, event.version, event.url); "malwareBlocked",
}); (
/** @type {import("./interceptors/interceptorBuilder.js").MalwareBlockedEvent} */ event
) => {
onMalwareBlocked(event.packageName, event.version, event.targetUrl);
}
);
mitmConnect(req, clientSocket, interceptor); mitmConnect(req, clientSocket, interceptor);
} else { } else {

4
test/e2e/bun.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: bun coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("bash"); const shell = await container.openShell("bash");
const result = await shell.runCommand("bun i axios"); const result = await shell.runCommand(
"bun i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/npm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: npm coverage using PATH", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/npm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: npm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

12
test/e2e/pip-ci.e2e.spec.js
View file

@ -12,7 +12,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
beforeEach(async () => { beforeEach(async () => {
container = new DockerTestContainer(); container = new DockerTestContainer();
await container.start(); await container.start();
// Clear pip cache before each test to ensure fresh downloads through proxy // Clear pip cache before each test to ensure fresh downloads through proxy
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
@ -100,7 +100,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
// Use --break-system-packages to avoid Debian/Ubuntu external management restrictions // Use --break-system-packages to avoid Debian/Ubuntu external management restrictions
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
const hasExpectedOutput = result.output.includes("no malware found."); const hasExpectedOutput = result.output.includes("no malware found.");
@ -126,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"python -m pip install --break-system-packages certifi" "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -149,7 +149,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"python3 -m pip install --break-system-packages certifi" "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -172,7 +172,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip install --break-system-packages certifi" "pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -195,7 +195,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand( const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(

268
test/e2e/pip.e2e.spec.js
View file

@ -16,7 +16,7 @@ describe("E2E: pip coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python"); await installationShell.runCommand("safe-chain setup --include-python");
// Clear pip cache before each test to ensure fresh downloads through proxy // Clear pip cache before each test to ensure fresh downloads through proxy
await installationShell.runCommand("pip3 cache purge"); await installationShell.runCommand("pip3 cache purge");
}); });
@ -32,7 +32,7 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => { it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages requests" "pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -43,7 +43,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 download`, async () => { it(`pip3 download`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 download requests"); const result = await shell.runCommand(
"pip3 download requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -53,7 +55,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 .whl`, async () => { it(`pip3 .whl`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 wheel requests"); const result = await shell.runCommand(
"pip3 wheel requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -64,7 +68,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install --dry-run is respected by scanner`, async () => { it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests" "pip3 install --dry-run --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -76,7 +80,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with extras such as requests[socks]`, async () => { it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"' 'pip3 install --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -88,7 +92,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with range version specifier`, async () => { it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"' 'pip3 install --break-system-packages "Jinja2>=3.1,<3.2" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -100,7 +104,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip install routes through safe-chain`, async () => { it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests" "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -111,7 +115,9 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip download routes through safe-chain`, async () => { it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m pip download requests"); const result = await shell.runCommand(
"python3 -m pip download requests --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
@ -148,7 +154,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => { it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip install --break-system-packages requests" "python -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -166,7 +172,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests" "python -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -184,7 +190,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests" "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -202,7 +208,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests" "python3 -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -222,7 +228,7 @@ describe("E2E: pip coverage", () => {
// Install a simple package from GitHub - this should use TCP tunnel, not MITM // Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing // Using a popular, small package for testing
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3" "pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -248,7 +254,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 successfully validates certificates for HTTPS downloads`, async () => { it(`pip3 successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -276,7 +282,7 @@ describe("E2E: pip coverage", () => {
// Test installing from a direct HTTPS URL (not a registry) // Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle // This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl" "pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -299,7 +305,7 @@ describe("E2E: pip coverage", () => {
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots) // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi" "pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -336,22 +342,20 @@ describe("E2E: pip coverage", () => {
it(`pip3 config set should work and persist configuration`, async () => { it(`pip3 config set should work and persist configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a config value // Set a config value
const setResult = await shell.runCommand( const setResult = await shell.runCommand(
"pip3 config set global.timeout 60" "pip3 config set global.timeout 60"
); );
assert.ok( assert.ok(
setResult.output.includes("Writing to"), setResult.output.includes("Writing to"),
`pip3 config set should write config. Output was:\n${setResult.output}` `pip3 config set should write config. Output was:\n${setResult.output}`
); );
// Verify it was persisted by reading it back // Verify it was persisted by reading it back
const getResult = await shell.runCommand( const getResult = await shell.runCommand("pip3 config get global.timeout");
"pip3 config get global.timeout"
);
assert.ok( assert.ok(
getResult.output.includes("60"), getResult.output.includes("60"),
`Config value should be 60. Output was:\n${getResult.output}` `Config value should be 60. Output was:\n${getResult.output}`
@ -360,13 +364,13 @@ describe("E2E: pip coverage", () => {
it(`pip3 config list should show user configuration`, async () => { it(`pip3 config list should show user configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a value first // Set a value first
await shell.runCommand("pip3 config set global.timeout 90"); await shell.runCommand("pip3 config set global.timeout 90");
// List config // List config
const listResult = await shell.runCommand("pip3 config list"); const listResult = await shell.runCommand("pip3 config list");
assert.ok( assert.ok(
listResult.output.includes("timeout") && listResult.output.includes("90"), listResult.output.includes("timeout") && listResult.output.includes("90"),
`Config list should show timeout=90. Output was:\n${listResult.output}` `Config list should show timeout=90. Output was:\n${listResult.output}`
@ -375,16 +379,18 @@ describe("E2E: pip coverage", () => {
it(`pip3 config unset should remove configuration`, async () => { it(`pip3 config unset should remove configuration`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Set a value // Set a value
await shell.runCommand("pip3 config set global.timeout 120"); await shell.runCommand("pip3 config set global.timeout 120");
// Verify it exists // Verify it exists
const getResult = await shell.runCommand("pip3 config get global.timeout"); const getResult = await shell.runCommand("pip3 config get global.timeout");
assert.ok(getResult.output.includes("120")); assert.ok(getResult.output.includes("120"));
// Unset it // Unset it
const unsetResult = await shell.runCommand("pip3 config unset global.timeout"); const unsetResult = await shell.runCommand(
"pip3 config unset global.timeout"
);
assert.ok( assert.ok(
unsetResult.output.includes("Writing to"), unsetResult.output.includes("Writing to"),
`pip3 config unset should write config. Output was:\n${unsetResult.output}` `pip3 config unset should write config. Output was:\n${unsetResult.output}`
@ -393,9 +399,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache dir should return cache directory path`, async () => { it(`pip3 cache dir should return cache directory path`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 cache dir"); const result = await shell.runCommand("pip3 cache dir");
// Should output a directory path // Should output a directory path
assert.ok( assert.ok(
result.output.includes("/") && result.output.includes("cache"), result.output.includes("/") && result.output.includes("cache"),
@ -405,12 +411,12 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache info should show cache information`, async () => { it(`pip3 cache info should show cache information`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install something first to populate cache // Install something first to populate cache
await shell.runCommand("pip3 install --break-system-packages certifi"); await shell.runCommand("pip3 install --break-system-packages certifi");
const result = await shell.runCommand("pip3 cache info"); const result = await shell.runCommand("pip3 cache info");
// Output should contain cache-related information // Output should contain cache-related information
assert.ok( assert.ok(
result.output.match(/cache|wheel|http/i), result.output.match(/cache|wheel|http/i),
@ -420,30 +426,31 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache list should list cached packages`, async () => { it(`pip3 cache list should list cached packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Download a package to ensure something is in cache // Download a package to ensure something is in cache
await shell.runCommand("pip3 download certifi"); await shell.runCommand("pip3 download certifi");
const result = await shell.runCommand("pip3 cache list certifi"); const result = await shell.runCommand("pip3 cache list certifi");
// Should show either cached wheels or "No locally built wheels" // Should show either cached wheels or "No locally built wheels"
assert.ok( assert.ok(
result.output.includes("certifi") || result.output.includes("No locally built"), result.output.includes("certifi") ||
result.output.includes("No locally built"),
`Should output cache list information. Output was:\n${result.output}` `Should output cache list information. Output was:\n${result.output}`
); );
}); });
it(`pip3 debug should output debug information`, async () => { it(`pip3 debug should output debug information`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 debug"); const result = await shell.runCommand("pip3 debug");
// Should contain debug information about pip environment // Should contain debug information about pip environment
assert.ok( assert.ok(
result.output.match(/pip version|sys\.version|sys\.executable/i), result.output.match(/pip version|sys\.version|sys\.executable/i),
`Should output debug information. Output was:\n${result.output}` `Should output debug information. Output was:\n${result.output}`
); );
// Should NOT show safe-chain's temporary config file in the debug output // Should NOT show safe-chain's temporary config file in the debug output
assert.ok( assert.ok(
!result.output.includes("safe-chain-pip-"), !result.output.includes("safe-chain-pip-"),
@ -453,34 +460,36 @@ describe("E2E: pip coverage", () => {
it(`pip3 completion should generate shell completion script`, async () => { it(`pip3 completion should generate shell completion script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 completion --zsh"); const result = await shell.runCommand("pip3 completion --zsh");
// Should output shell completion code // Should output shell completion code
assert.ok( assert.ok(
result.output.includes("compdef") || result.output.includes("_pip") || result.output.includes("pip completion"), result.output.includes("compdef") ||
result.output.includes("_pip") ||
result.output.includes("pip completion"),
`Should output completion code. Output was:\n${result.output}` `Should output completion code. Output was:\n${result.output}`
); );
}); });
it(`pip3 install still works after config operations`, async () => { it(`pip3 install still works after config operations`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Perform config operations // Perform config operations
await shell.runCommand("pip3 config set global.timeout 60"); await shell.runCommand("pip3 config set global.timeout 60");
await shell.runCommand("pip3 cache dir"); await shell.runCommand("pip3 cache dir");
// Now install should still work with malware protection // Now install should still work with malware protection
const result = await shell.runCommand( const result = await shell.runCommand(
"pip3 install --break-system-packages certifi" "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"), result.output.includes("Requirement already satisfied"),
`Install should succeed after config operations. Output was:\n${result.output}` `Install should succeed after config operations. Output was:\n${result.output}`
); );
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
`Should still scan for malware. Output was:\n${result.output}` `Should still scan for malware. Output was:\n${result.output}`
@ -489,14 +498,16 @@ describe("E2E: pip coverage", () => {
it(`pip3 download works after configuring pip settings`, async () => { it(`pip3 download works after configuring pip settings`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Configure pip with timeout and extra index URL // Configure pip with timeout and extra index URL
const configTimeout = await shell.runCommand("pip3 config set global.timeout 60"); const configTimeout = await shell.runCommand(
"pip3 config set global.timeout 60"
);
assert.ok( assert.ok(
configTimeout.output.includes("Writing to"), configTimeout.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configTimeout.output}` `Config set should succeed. Output was:\n${configTimeout.output}`
); );
const configIndex = await shell.runCommand( const configIndex = await shell.runCommand(
"pip3 config set global.extra-index-url https://pypi.org/simple" "pip3 config set global.extra-index-url https://pypi.org/simple"
); );
@ -504,7 +515,7 @@ describe("E2E: pip coverage", () => {
configIndex.output.includes("Writing to"), configIndex.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configIndex.output}` `Config set should succeed. Output was:\n${configIndex.output}`
); );
// Verify config persisted // Verify config persisted
const listConfig = await shell.runCommand("pip3 config list"); const listConfig = await shell.runCommand("pip3 config list");
assert.ok( assert.ok(
@ -512,23 +523,25 @@ describe("E2E: pip coverage", () => {
`Config should show timeout=60. Output was:\n${listConfig.output}` `Config should show timeout=60. Output was:\n${listConfig.output}`
); );
assert.ok( assert.ok(
listConfig.output.includes("extra-index-url") && listConfig.output.includes("pypi.org"), listConfig.output.includes("extra-index-url") &&
listConfig.output.includes("pypi.org"),
`Config should show extra-index-url. Output was:\n${listConfig.output}` `Config should show extra-index-url. Output was:\n${listConfig.output}`
); );
// Now download packages with the configured settings // Now download packages with the configured settings
const downloadResult = await shell.runCommand( const downloadResult = await shell.runCommand(
"pip3 download -d /tmp/packages requests certifi" "pip3 download -d /tmp/packages requests certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
downloadResult.output.includes("no malware found."), downloadResult.output.includes("no malware found."),
`Should scan for malware. Output was:\n${downloadResult.output}` `Should scan for malware. Output was:\n${downloadResult.output}`
); );
// Verify downloads succeeded // Verify downloads succeeded
assert.ok( assert.ok(
downloadResult.output.includes("Saved") || downloadResult.output.includes("requests"), downloadResult.output.includes("Saved") ||
downloadResult.output.includes("requests"),
`Download should succeed with configured settings. Output was:\n${downloadResult.output}` `Download should succeed with configured settings. Output was:\n${downloadResult.output}`
); );
assert.ok( assert.ok(
@ -538,17 +551,17 @@ describe("E2E: pip coverage", () => {
}); });
// Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain) // Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain)
it(`python3 --version should bypass safe-chain and work normally`, async () => { it(`python3 --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 --version"); const result = await shell.runCommand("python3 --version");
// Should output Python version // Should output Python version
assert.ok( assert.ok(
result.output.match(/Python 3\.\d+\.\d+/), result.output.match(/Python 3\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}` `Should output Python version. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain proxy // Should NOT go through safe-chain proxy
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -559,13 +572,13 @@ describe("E2E: pip coverage", () => {
it(`python --version should bypass safe-chain and work normally`, async () => { it(`python --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python --version"); const result = await shell.runCommand("python --version");
// Should output Python version // Should output Python version
assert.ok( assert.ok(
result.output.match(/Python \d+\.\d+\.\d+/), result.output.match(/Python \d+\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}` `Should output Python version. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -575,14 +588,16 @@ describe("E2E: pip coverage", () => {
it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => { it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -c \"print('hello world')\""); const result = await shell.runCommand(
"python3 -c \"print('hello world')\""
);
// Should execute Python code // Should execute Python code
assert.ok( assert.ok(
result.output.includes("hello world"), result.output.includes("hello world"),
`Should execute Python code. Output was:\n${result.output}` `Should execute Python code. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -592,14 +607,16 @@ describe("E2E: pip coverage", () => {
it(`python -c should bypass safe-chain and execute code`, async () => { it(`python -c should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python -c \"import sys; print(sys.version)\""); const result = await shell.runCommand(
'python -c "import sys; print(sys.version)"'
);
// Should execute Python code and print version // Should execute Python code and print version
assert.ok( assert.ok(
result.output.match(/\d+\.\d+\.\d+/), result.output.match(/\d+\.\d+\.\d+/),
`Should execute Python code. Output was:\n${result.output}` `Should execute Python code. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -609,18 +626,20 @@ describe("E2E: pip coverage", () => {
it(`python3 script.py should bypass safe-chain and execute script`, async () => { it(`python3 script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py"); await shell.runCommand(
"echo \"print('script executed')\" > /tmp/test_script.py"
);
const result = await shell.runCommand("python3 /tmp/test_script.py"); const result = await shell.runCommand("python3 /tmp/test_script.py");
// Should execute the script // Should execute the script
assert.ok( assert.ok(
result.output.includes("script executed"), result.output.includes("script executed"),
`Should execute Python script. Output was:\n${result.output}` `Should execute Python script. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -630,18 +649,20 @@ describe("E2E: pip coverage", () => {
it(`python script.py should bypass safe-chain and execute script`, async () => { it(`python script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"); await shell.runCommand(
"echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"
);
const result = await shell.runCommand("python /tmp/test_script2.py"); const result = await shell.runCommand("python /tmp/test_script2.py");
// Should execute the script // Should execute the script
assert.ok( assert.ok(
result.output.includes("python2/3 compatible"), result.output.includes("python2/3 compatible"),
`Should execute Python script. Output was:\n${result.output}` `Should execute Python script. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -651,16 +672,18 @@ describe("E2E: pip coverage", () => {
it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => { it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// json.tool is a built-in Python module for formatting JSON // json.tool is a built-in Python module for formatting JSON
const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool"); const result = await shell.runCommand(
"echo '{\"test\": 123}' | python3 -m json.tool"
);
// Should format JSON // Should format JSON
assert.ok( assert.ok(
result.output.includes('"test"') && result.output.includes('123'), result.output.includes('"test"') && result.output.includes("123"),
`Should format JSON. Output was:\n${result.output}` `Should format JSON. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -670,36 +693,40 @@ describe("E2E: pip coverage", () => {
it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => { it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Start http.server in background and kill it immediately // Start http.server in background and kill it immediately
// We just want to verify it starts without safe-chain interference // We just want to verify it starts without safe-chain interference
const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true"); const result = await shell.runCommand(
"timeout 1 python3 -m http.server 8999 || true"
);
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
`python3 -m http.server should not go through safe-chain. Output was:\n${result.output}` `python3 -m http.server should not go through safe-chain. Output was:\n${result.output}`
); );
// Should either start the server or timeout (both are success for bypass test) // Should either start the server or timeout (both are success for bypass test)
assert.ok( assert.ok(
result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined, result.output.includes("Serving HTTP") ||
result.output === "" ||
result.exitCode !== undefined,
`Should attempt to start server. Output was:\n${result.output}` `Should attempt to start server. Output was:\n${result.output}`
); );
}); });
it(`python3 interactive mode should bypass safe-chain`, async () => { it(`python3 interactive mode should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Run python3 with a command piped to stdin to simulate interactive mode // Run python3 with a command piped to stdin to simulate interactive mode
const result = await shell.runCommand("echo 'print(2+2)' | python3"); const result = await shell.runCommand("echo 'print(2+2)' | python3");
// Should execute the command // Should execute the command
assert.ok( assert.ok(
result.output.includes("4"), result.output.includes("4"),
`Should execute Python interactively. Output was:\n${result.output}` `Should execute Python interactively. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -709,10 +736,10 @@ describe("E2E: pip coverage", () => {
it(`python3 with no arguments should bypass safe-chain`, async () => { it(`python3 with no arguments should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Python with no args goes to interactive REPL, pipe exit command // Python with no args goes to interactive REPL, pipe exit command
const result = await shell.runCommand("echo 'exit()' | python3"); const result = await shell.runCommand("echo 'exit()' | python3");
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -722,17 +749,19 @@ describe("E2E: pip coverage", () => {
it(`python3 -m venv should bypass safe-chain (venv module)`, async () => { it(`python3 -m venv should bypass safe-chain (venv module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m venv /tmp/test_venv"); const result = await shell.runCommand("python3 -m venv /tmp/test_venv");
// Should create venv without safe-chain // Should create venv without safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
`python3 -m venv should not go through safe-chain. Output was:\n${result.output}` `python3 -m venv should not go through safe-chain. Output was:\n${result.output}`
); );
// Verify venv was created // Verify venv was created
const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'"); const checkVenv = await shell.runCommand(
"test -f /tmp/test_venv/bin/python3 && echo 'exists'"
);
assert.ok( assert.ok(
checkVenv.output.includes("exists"), checkVenv.output.includes("exists"),
`venv should be created. Output was:\n${checkVenv.output}` `venv should be created. Output was:\n${checkVenv.output}`
@ -741,10 +770,12 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => { it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// pytest may not be installed, but the bypass should work regardless // pytest may not be installed, but the bypass should work regardless
const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true"); const result = await shell.runCommand(
"python3 -m pytest --version 2>&1 || true"
);
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -754,15 +785,15 @@ describe("E2E: pip coverage", () => {
it(`python3 -m site should bypass safe-chain (site module)`, async () => { it(`python3 -m site should bypass safe-chain (site module)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m site"); const result = await shell.runCommand("python3 -m site");
// Should output site information // Should output site information
assert.ok( assert.ok(
result.output.includes("sys.path") || result.output.includes("USER_BASE"), result.output.includes("sys.path") || result.output.includes("USER_BASE"),
`Should output site information. Output was:\n${result.output}` `Should output site information. Output was:\n${result.output}`
); );
// Should NOT go through safe-chain // Should NOT go through safe-chain
assert.ok( assert.ok(
!result.output.includes("Safe-chain"), !result.output.includes("Safe-chain"),
@ -771,16 +802,17 @@ describe("E2E: pip coverage", () => {
}); });
// Verify that -m pip* still goes through safe-chain (sanity check) // Verify that -m pip* still goes through safe-chain (sanity check)
it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => { it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip install --break-system-packages certifi" "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}` `python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });
@ -788,12 +820,13 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => { it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages certifi" "python3 -m pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}` `python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });
@ -801,12 +834,13 @@ describe("E2E: pip coverage", () => {
it(`python -m pip DOES go through safe-chain (sanity check)`, async () => { it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"python -m pip install --break-system-packages certifi" "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
); );
// SHOULD go through safe-chain // SHOULD go through safe-chain
assert.ok( assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"), result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python -m pip SHOULD go through safe-chain. Output was:\n${result.output}` `python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
); );
}); });

4
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/pnpm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

6
test/e2e/poetry.e2e.spec.js
View file

@ -16,6 +16,9 @@ describe("E2E: poetry coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python"); await installationShell.runCommand("safe-chain setup --include-python");
// Clear poetry cache
await installationShell.runCommand("command poetry cache clear pypi --all -n");
}); });
afterEach(async () => { afterEach(async () => {
@ -29,9 +32,6 @@ describe("E2E: poetry coverage", () => {
it(`successfully installs known safe packages with poetry add`, async () => { it(`successfully installs known safe packages with poetry add`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Clear poetry cache using command to bypass safe-chain wrapper
await shell.runCommand("command poetry cache clear pypi --all -n");
// Initialize a new poetry project // Initialize a new poetry project
await shell.runCommand("mkdir /tmp/test-poetry-project && cd /tmp/test-poetry-project"); await shell.runCommand("mkdir /tmp/test-poetry-project && cd /tmp/test-poetry-project");
await shell.runCommand("cd /tmp/test-poetry-project && poetry init --no-interaction"); await shell.runCommand("cd /tmp/test-poetry-project && poetry init --no-interaction");

10
test/e2e/safe-chain-cli-python.e2e.spec.js
View file

@ -14,6 +14,10 @@ describe("E2E: safe-chain CLI python/pip support", () => {
await container.start(); await container.start();
// Note: We do NOT run 'safe-chain setup' here. // Note: We do NOT run 'safe-chain setup' here.
// We want to test the 'safe-chain' CLI command directly. // We want to test the 'safe-chain' CLI command directly.
// Clear pip cache
const shell = await container.openShell("zsh");
await shell.runCommand("pip3 cache purge");
}); });
afterEach(async () => { afterEach(async () => {
@ -27,7 +31,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Invoke safe-chain directly with pip3 command // Invoke safe-chain directly with pip3 command
const result = await shell.runCommand( const result = await shell.runCommand(
"safe-chain pip3 install --break-system-packages requests" "safe-chain pip3 install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -44,7 +48,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 -m pip install routes through proxy", async () => { it("safe-chain python3 -m pip install routes through proxy", async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"safe-chain python3 -m pip install --break-system-packages requests" "safe-chain python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -55,7 +59,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 script.py bypasses proxy", async () => { it("safe-chain python3 script.py bypasses proxy", async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple script // Create a simple script
await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py"); await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py");

4
test/e2e/setup-ci.e2e.spec.js
View file

@ -39,7 +39,9 @@ describe("E2E: safe-chain setup-ci command", () => {
); );
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand("npm i axios"); const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned"); const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok( assert.ok(

4
test/e2e/setup.teardown.e2e.spec.js
View file

@ -29,7 +29,9 @@ describe("E2E: safe-chain setup command", () => {
const projectShell = await container.openShell(shell); const projectShell = await container.openShell(shell);
await projectShell.runCommand("cd /testapp"); await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand("npm i axios"); const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned"); const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok( assert.ok(

163
test/e2e/uv.e2e.spec.js
View file

@ -16,6 +16,9 @@ describe("E2E: uv coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python"); await installationShell.runCommand("safe-chain setup --include-python");
// Clear uv cache
await installationShell.runCommand("uv cache clean");
}); });
afterEach(async () => { afterEach(async () => {
@ -29,7 +32,7 @@ describe("E2E: uv coverage", () => {
it(`successfully installs known safe packages with uv pip install`, async () => { it(`successfully installs known safe packages with uv pip install`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests" "uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -41,7 +44,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with specific version`, async () => { it(`uv pip install with specific version`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.32.3" "uv pip install --system --break-system-packages requests==2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -53,7 +56,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version specifiers (>=)`, async () => { it(`uv pip install with version specifiers (>=)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "Jinja2>=3.1"' 'uv pip install --system --break-system-packages "Jinja2>=3.1" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -65,7 +68,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with extras such as requests[socks]`, async () => { it(`uv pip install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests[socks]==2.32.3"' 'uv pip install --system --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -77,7 +80,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install multiple packages`, async () => { it(`uv pip install multiple packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests certifi urllib3" "uv pip install --system --break-system-packages requests certifi urllib3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -88,13 +91,13 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from requirements file`, async () => { it(`uv pip install from requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a requirements.txt file // Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements.txt"); await shell.runCommand("echo 'requests==2.32.3' > requirements.txt");
await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt"); await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages -r requirements.txt" "uv pip install --system --break-system-packages -r requirements.txt --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -105,12 +108,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip sync with requirements file`, async () => { it(`uv pip sync with requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a requirements.txt file // Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt"); await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip sync --system --break-system-packages requirements-sync.txt" "uv pip sync --system --break-system-packages requirements-sync.txt --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -121,7 +124,7 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks installation of malicious Python packages via uv`, async () => { it(`safe-chain blocks installation of malicious Python packages via uv`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages safe-chain-pi-test" "uv pip install --system --break-system-packages safe-chain-pi-test"
); );
@ -149,7 +152,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from GitHub URL using the CA bundle`, async () => { it(`uv pip install from GitHub URL using the CA bundle`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3" "uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -167,9 +170,9 @@ describe("E2E: uv coverage", () => {
it(`uv pip successfully validates certificates for HTTPS downloads`, async () => { it(`uv pip successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages certifi" "uv pip install --system --break-system-packages certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -196,7 +199,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from direct HTTPS wheel URL`, async () => { it(`uv pip install from direct HTTPS wheel URL`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl" "uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -213,13 +216,15 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --upgrade flag`, async () => { it(`uv pip install with --upgrade flag`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// First install a package // First install a package
await shell.runCommand("uv pip install --system --break-system-packages requests==2.31.0"); await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.31.0"
);
// Then upgrade it // Then upgrade it
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --upgrade requests" "uv pip install --system --break-system-packages --upgrade requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -231,7 +236,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --no-deps flag`, async () => { it(`uv pip install with --no-deps flag`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --no-deps requests" "uv pip install --system --break-system-packages --no-deps requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -242,14 +247,18 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --editable flag from local directory`, async () => { it(`uv pip install with --editable flag from local directory`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple package structure // Create a simple package structure
await shell.runCommand("mkdir -p /tmp/test-pkg"); await shell.runCommand("mkdir -p /tmp/test-pkg");
await shell.runCommand("echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"); await shell.runCommand(
await shell.runCommand("echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"); "echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"
);
await shell.runCommand(
"echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages -e /tmp/test-pkg" "uv pip install --system --break-system-packages -e /tmp/test-pkg --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -260,13 +269,11 @@ describe("E2E: uv coverage", () => {
it(`uv pip compile creates locked requirements`, async () => { it(`uv pip compile creates locked requirements`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create an input requirements file // Create an input requirements file
await shell.runCommand("echo 'requests' > requirements.in"); await shell.runCommand("echo 'requests' > requirements.in");
const result = await shell.runCommand( const result = await shell.runCommand("uv pip compile requirements.in");
"uv pip compile requirements.in"
);
// uv pip compile doesn't install packages, just resolves dependencies // uv pip compile doesn't install packages, just resolves dependencies
// It should complete successfully and output resolved requirements // It should complete successfully and output resolved requirements
@ -279,7 +286,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --index-url for alternate registry`, async () => { it(`uv pip install with --index-url for alternate registry`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi" "uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -300,7 +307,7 @@ describe("E2E: uv coverage", () => {
const result = await shell.runCommand( const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests --safe-chain-logging=verbose" "uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
@ -310,7 +317,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version range constraint`, async () => { it(`uv pip install with version range constraint`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0"' 'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0" --safe-chain-logging=verbose'
); );
assert.ok( assert.ok(
@ -321,10 +328,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip list shows installed packages`, async () => { it(`uv pip list shows installed packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install a package first // Install a package first
await shell.runCommand("uv pip install --system --break-system-packages requests"); await shell.runCommand(
"uv pip install --system --break-system-packages requests"
);
// Then list packages - this shouldn't trigger safe-chain scanning // Then list packages - this shouldn't trigger safe-chain scanning
const result = await shell.runCommand("uv pip list --system"); const result = await shell.runCommand("uv pip list --system");
@ -337,10 +346,10 @@ describe("E2E: uv coverage", () => {
it(`uv add installs package and updates project`, async () => { it(`uv add installs package and updates project`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project and add package in same command // Initialize a new uv project and add package in same command
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-project && cd test-project && uv add requests" "uv init test-project && cd test-project && uv add requests --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -351,12 +360,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with specific version`, async () => { it(`uv add with specific version`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-version"); await shell.runCommand("uv init test-project-version");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-version && uv add requests==2.32.3" "cd test-project-version && uv add requests==2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -367,12 +376,12 @@ describe("E2E: uv coverage", () => {
it(`uv add --dev for development dependencies`, async () => { it(`uv add --dev for development dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-dev"); await shell.runCommand("uv init test-project-dev");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-dev && uv add --dev pytest" "cd test-project-dev && uv add --dev pytest --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -383,12 +392,12 @@ describe("E2E: uv coverage", () => {
it(`uv add multiple packages at once`, async () => { it(`uv add multiple packages at once`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-multi"); await shell.runCommand("uv init test-project-multi");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-multi && uv add requests certifi urllib3" "cd test-project-multi && uv add requests certifi urllib3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -399,10 +408,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv add`, async () => { it(`safe-chain blocks malicious packages via uv add`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-project-malware"); await shell.runCommand("uv init test-project-malware");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-project-malware && uv add safe-chain-pi-test" "cd test-project-malware && uv add safe-chain-pi-test"
); );
@ -424,20 +433,19 @@ describe("E2E: uv coverage", () => {
it(`uv tool install installs a global tool`, async () => { it(`uv tool install installs a global tool`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv tool install ruff" "uv tool install ruff --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
result.output.includes("no malware found.") || result.output.includes("Installed"), result.output.includes("no malware found.") ||
result.output.includes("Installed"),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`safe-chain blocks malicious packages via uv tool install`, async () => { it(`safe-chain blocks malicious packages via uv tool install`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand( const result = await shell.runCommand("uv tool install safe-chain-pi-test");
"uv tool install safe-chain-pi-test"
);
assert.ok( assert.ok(
result.output.includes("blocked 1 malicious package downloads:"), result.output.includes("blocked 1 malicious package downloads:"),
@ -451,12 +459,14 @@ describe("E2E: uv coverage", () => {
it(`uv run --with installs ephemeral dependency`, async () => { it(`uv run --with installs ephemeral dependency`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo 'import requests; print(requests.__version__)' > test_script.py"); await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > test_script.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with requests test_script.py" "uv run --with requests test_script.py --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -467,10 +477,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv run --with`, async () => { it(`safe-chain blocks malicious packages via uv run --with`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create a simple Python script // Create a simple Python script
await shell.runCommand("echo 'print(\"test\")' > test_script2.py"); await shell.runCommand("echo 'print(\"test\")' > test_script2.py");
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with safe-chain-pi-test test_script2.py" "uv run --with safe-chain-pi-test test_script2.py"
); );
@ -483,10 +493,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync syncs project dependencies`, async () => { it(`uv sync syncs project dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project, add a dependency, remove venv, and sync in one command chain // Initialize a new uv project, add a dependency, remove venv, and sync in one command chain
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-sync-project && cd test-sync-project && uv add requests && rm -rf .venv && uv sync" "uv init test-sync-project && cd test-sync-project && uv add requests --safe-chain-logging=verbose && rm -rf .venv && uv sync --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -497,12 +507,12 @@ describe("E2E: uv coverage", () => {
it(`uv add from git URL`, async () => { it(`uv add from git URL`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-git-add"); await shell.runCommand("uv init test-git-add");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3" "cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -513,12 +523,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with --optional group`, async () => { it(`uv add with --optional group`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize a new uv project // Initialize a new uv project
await shell.runCommand("uv init test-optional"); await shell.runCommand("uv init test-optional");
const result = await shell.runCommand( const result = await shell.runCommand(
"cd test-optional && uv add --optional dev pytest" "cd test-optional && uv add --optional dev pytest --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -529,13 +539,15 @@ describe("E2E: uv coverage", () => {
it(`uv run --with-requirements installs from requirements file`, async () => { it(`uv run --with-requirements installs from requirements file`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Create requirements file and script // Create requirements file and script
await shell.runCommand("echo 'requests' > run_requirements.txt"); await shell.runCommand("echo 'requests' > run_requirements.txt");
await shell.runCommand("echo 'import requests; print(requests.__version__)' > run_script.py"); await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > run_script.py"
);
const result = await shell.runCommand( const result = await shell.runCommand(
"uv run --with-requirements run_requirements.txt run_script.py" "uv run --with-requirements run_requirements.txt run_script.py --safe-chain-logging=verbose"
); );
assert.ok( assert.ok(
@ -546,10 +558,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync --all-extras syncs all optional dependencies`, async () => { it(`uv sync --all-extras syncs all optional dependencies`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Initialize project with optional dependency and sync in one command chain // Initialize project with optional dependency and sync in one command chain
const result = await shell.runCommand( const result = await shell.runCommand(
"uv init test-extras && cd test-extras && uv add --optional dev pytest && uv sync --all-extras" "uv init test-extras && cd test-extras && uv add --optional dev pytest --safe-chain-logging=verbose && uv sync --all-extras"
); );
assert.ok( assert.ok(
@ -558,4 +570,3 @@ describe("E2E: uv coverage", () => {
); );
}); });
}); });

4
test/e2e/yarn-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),

4
test/e2e/yarn.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => { it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok( assert.ok(
result.output.includes("no malware found."), result.output.includes("no malware found."),