milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feature/combine-certs

Browse source
This commit is contained in:
Reinier Criel 2025-12-08 09:42:10 -08:00
commit 091e6ec5f8
18 changed files with 305 additions and 221 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.github/workflows/test-on-pr.yml vendored
View file

@ -6,7 +6,12 @@ jobs:
unit-test:
name: Run unit tests and linting
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- name: Checkout code
@ -23,7 +28,7 @@ jobs:
safe-chain setup-ci
- name: Install dependencies
run: npm ci
run: npm ci --ignore-scripts
- name: Run unit tests
run: npm test
@ -35,10 +40,12 @@ jobs:
run: npm run typecheck --workspace=packages/safe-chain
- name: Create package tarball
if: matrix.os == 'ubuntu-latest'
run: npm pack --workspace=packages/safe-chain
- name: Upload package tarball
uses: actions/upload-artifact@v4
if: matrix.os == 'ubuntu-latest'
with:
name: safe-chain-package
path: aikidosec-safe-chain-*.tgz

3
packages/safe-chain/src/main.js
View file

@ -64,8 +64,7 @@ export async function main(args) {
const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) {
ui.emptyLine();
ui.writeInformation(
ui.writeVerbose(
`${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.totalPackages
} packages, no malware found.`

6
packages/safe-chain/src/registryProxy/interceptors/interceptorBuilder.js
View file

@ -20,6 +20,12 @@ import { EventEmitter } from "events";
* @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders
* @property {() => boolean} modifiesResponse
* @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody
*
* @typedef {Object} MalwareBlockedEvent
* @property {string} packageName
* @property {string} version
* @property {string} targetUrl
* @property {number} timestamp
*/
/**

11
packages/safe-chain/src/registryProxy/registryProxy.js
View file

@ -140,9 +140,14 @@ function handleConnect(req, clientSocket, head) {
if (interceptor) {
// Subscribe to malware blocked events
interceptor.on("malwareBlocked", (event) => {
onMalwareBlocked(event.packageName, event.version, event.url);
});
interceptor.on(
"malwareBlocked",
(
/** @type {import("./interceptors/interceptorBuilder.js").MalwareBlockedEvent} */ event
) => {
onMalwareBlocked(event.packageName, event.version, event.targetUrl);
}
);
mitmConnect(req, clientSocket, interceptor);
} else {

4
test/e2e/bun.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: bun coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("bash");
const result = await shell.runCommand("bun i axios");
const result = await shell.runCommand(
"bun i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/npm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: npm coverage using PATH", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios");
const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/npm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: npm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios");
const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

10
test/e2e/pip-ci.e2e.spec.js
View file

@ -100,7 +100,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
// Use --break-system-packages to avoid Debian/Ubuntu external management restrictions
const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("no malware found.");
@ -126,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python -m pip install --break-system-packages certifi"
"python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -149,7 +149,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python3 -m pip install --break-system-packages certifi"
"python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -172,7 +172,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"pip install --break-system-packages certifi"
"pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -195,7 +195,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(

120
test/e2e/pip.e2e.spec.js
View file

@ -32,7 +32,7 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
"pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -43,7 +43,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 download`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 download requests");
const result = await shell.runCommand(
"pip3 download requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -53,7 +55,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 .whl`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 wheel requests");
const result = await shell.runCommand(
"pip3 wheel requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -64,7 +68,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests"
"pip3 install --dry-run --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -76,7 +80,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"'
'pip3 install --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
);
assert.ok(
@ -88,7 +92,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2" --safe-chain-logging=verbose'
);
assert.ok(
@ -100,7 +104,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
"python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -111,7 +115,9 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m pip download requests");
const result = await shell.runCommand(
"python3 -m pip download requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -148,7 +154,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
"python -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -166,7 +172,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
"python -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -184,7 +190,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
"python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -202,7 +208,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
"python3 -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -222,7 +228,7 @@ describe("E2E: pip coverage", () => {
// Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing
const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -248,7 +254,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -276,7 +282,7 @@ describe("E2E: pip coverage", () => {
// Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
);
assert.ok(
@ -299,7 +305,7 @@ describe("E2E: pip coverage", () => {
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -348,9 +354,7 @@ describe("E2E: pip coverage", () => {
);
// Verify it was persisted by reading it back
const getResult = await shell.runCommand(
"pip3 config get global.timeout"
);
const getResult = await shell.runCommand("pip3 config get global.timeout");
assert.ok(
getResult.output.includes("60"),
@ -384,7 +388,9 @@ describe("E2E: pip coverage", () => {
assert.ok(getResult.output.includes("120"));
// Unset it
const unsetResult = await shell.runCommand("pip3 config unset global.timeout");
const unsetResult = await shell.runCommand(
"pip3 config unset global.timeout"
);
assert.ok(
unsetResult.output.includes("Writing to"),
`pip3 config unset should write config. Output was:\n${unsetResult.output}`
@ -428,7 +434,8 @@ describe("E2E: pip coverage", () => {
// Should show either cached wheels or "No locally built wheels"
assert.ok(
result.output.includes("certifi") || result.output.includes("No locally built"),
result.output.includes("certifi") ||
result.output.includes("No locally built"),
`Should output cache list information. Output was:\n${result.output}`
);
});
@ -458,7 +465,9 @@ describe("E2E: pip coverage", () => {
// Should output shell completion code
assert.ok(
result.output.includes("compdef") || result.output.includes("_pip") || result.output.includes("pip completion"),
result.output.includes("compdef") ||
result.output.includes("_pip") ||
result.output.includes("pip completion"),
`Should output completion code. Output was:\n${result.output}`
);
});
@ -472,7 +481,7 @@ describe("E2E: pip coverage", () => {
// Now install should still work with malware protection
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -491,7 +500,9 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Configure pip with timeout and extra index URL
const configTimeout = await shell.runCommand("pip3 config set global.timeout 60");
const configTimeout = await shell.runCommand(
"pip3 config set global.timeout 60"
);
assert.ok(
configTimeout.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configTimeout.output}`
@ -512,13 +523,14 @@ describe("E2E: pip coverage", () => {
`Config should show timeout=60. Output was:\n${listConfig.output}`
);
assert.ok(
listConfig.output.includes("extra-index-url") && listConfig.output.includes("pypi.org"),
listConfig.output.includes("extra-index-url") &&
listConfig.output.includes("pypi.org"),
`Config should show extra-index-url. Output was:\n${listConfig.output}`
);
// Now download packages with the configured settings
const downloadResult = await shell.runCommand(
"pip3 download -d /tmp/packages requests certifi"
"pip3 download -d /tmp/packages requests certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -528,7 +540,8 @@ describe("E2E: pip coverage", () => {
// Verify downloads succeeded
assert.ok(
downloadResult.output.includes("Saved") || downloadResult.output.includes("requests"),
downloadResult.output.includes("Saved") ||
downloadResult.output.includes("requests"),
`Download should succeed with configured settings. Output was:\n${downloadResult.output}`
);
assert.ok(
@ -575,7 +588,9 @@ describe("E2E: pip coverage", () => {
it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -c \"print('hello world')\"");
const result = await shell.runCommand(
"python3 -c \"print('hello world')\""
);
// Should execute Python code
assert.ok(
@ -592,7 +607,9 @@ describe("E2E: pip coverage", () => {
it(`python -c should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python -c \"import sys; print(sys.version)\"");
const result = await shell.runCommand(
'python -c "import sys; print(sys.version)"'
);
// Should execute Python code and print version
assert.ok(
@ -611,7 +628,9 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py");
await shell.runCommand(
"echo \"print('script executed')\" > /tmp/test_script.py"
);
const result = await shell.runCommand("python3 /tmp/test_script.py");
@ -632,7 +651,9 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py");
await shell.runCommand(
"echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"
);
const result = await shell.runCommand("python /tmp/test_script2.py");
@ -653,11 +674,13 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// json.tool is a built-in Python module for formatting JSON
const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool");
const result = await shell.runCommand(
"echo '{\"test\": 123}' | python3 -m json.tool"
);
// Should format JSON
assert.ok(
result.output.includes('"test"') && result.output.includes('123'),
result.output.includes('"test"') && result.output.includes("123"),
`Should format JSON. Output was:\n${result.output}`
);
@ -673,7 +696,9 @@ describe("E2E: pip coverage", () => {
// Start http.server in background and kill it immediately
// We just want to verify it starts without safe-chain interference
const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true");
const result = await shell.runCommand(
"timeout 1 python3 -m http.server 8999 || true"
);
// Should NOT go through safe-chain
assert.ok(
@ -683,7 +708,9 @@ describe("E2E: pip coverage", () => {
// Should either start the server or timeout (both are success for bypass test)
assert.ok(
result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined,
result.output.includes("Serving HTTP") ||
result.output === "" ||
result.exitCode !== undefined,
`Should attempt to start server. Output was:\n${result.output}`
);
});
@ -732,7 +759,9 @@ describe("E2E: pip coverage", () => {
);
// Verify venv was created
const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'");
const checkVenv = await shell.runCommand(
"test -f /tmp/test_venv/bin/python3 && echo 'exists'"
);
assert.ok(
checkVenv.output.includes("exists"),
`venv should be created. Output was:\n${checkVenv.output}`
@ -743,7 +772,9 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// pytest may not be installed, but the bypass should work regardless
const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true");
const result = await shell.runCommand(
"python3 -m pytest --version 2>&1 || true"
);
// Should NOT go through safe-chain
assert.ok(
@ -775,12 +806,13 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages certifi"
"python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
);
});
@ -788,12 +820,13 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages certifi"
"python3 -m pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
);
});
@ -801,12 +834,13 @@ describe("E2E: pip coverage", () => {
it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip install --break-system-packages certifi"
"python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
);
});

4
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios");
const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/pnpm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios");
const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

6
test/e2e/poetry.e2e.spec.js
View file

@ -16,6 +16,9 @@ describe("E2E: poetry coverage", () => {
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
// Clear poetry cache
await installationShell.runCommand("command poetry cache clear pypi --all -n");
});
afterEach(async () => {
@ -29,9 +32,6 @@ describe("E2E: poetry coverage", () => {
it(`successfully installs known safe packages with poetry add`, async () => {
const shell = await container.openShell("zsh");
// Clear poetry cache using command to bypass safe-chain wrapper
await shell.runCommand("command poetry cache clear pypi --all -n");
// Initialize a new poetry project
await shell.runCommand("mkdir /tmp/test-poetry-project && cd /tmp/test-poetry-project");
await shell.runCommand("cd /tmp/test-poetry-project && poetry init --no-interaction");

8
test/e2e/safe-chain-cli-python.e2e.spec.js
View file

@ -14,6 +14,10 @@ describe("E2E: safe-chain CLI python/pip support", () => {
await container.start();
// Note: We do NOT run 'safe-chain setup' here.
// We want to test the 'safe-chain' CLI command directly.
// Clear pip cache
const shell = await container.openShell("zsh");
await shell.runCommand("pip3 cache purge");
});
afterEach(async () => {
@ -27,7 +31,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
const shell = await container.openShell("zsh");
// Invoke safe-chain directly with pip3 command
const result = await shell.runCommand(
"safe-chain pip3 install --break-system-packages requests"
"safe-chain pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -44,7 +48,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 -m pip install routes through proxy", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"safe-chain python3 -m pip install --break-system-packages requests"
"safe-chain python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(

4
test/e2e/setup-ci.e2e.spec.js
View file

@ -39,7 +39,9 @@ describe("E2E: safe-chain setup-ci command", () => {
);
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand("npm i axios");
const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok(

4
test/e2e/setup.teardown.e2e.spec.js
View file

@ -29,7 +29,9 @@ describe("E2E: safe-chain setup command", () => {
const projectShell = await container.openShell(shell);
await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand("npm i axios");
const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok(

91
test/e2e/uv.e2e.spec.js
View file

@ -16,6 +16,9 @@ describe("E2E: uv coverage", () => {
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
// Clear uv cache
await installationShell.runCommand("uv cache clean");
});
afterEach(async () => {
@ -29,7 +32,7 @@ describe("E2E: uv coverage", () => {
it(`successfully installs known safe packages with uv pip install`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests"
"uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -41,7 +44,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with specific version`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.32.3"
"uv pip install --system --break-system-packages requests==2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -53,7 +56,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version specifiers (>=)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "Jinja2>=3.1"'
'uv pip install --system --break-system-packages "Jinja2>=3.1" --safe-chain-logging=verbose'
);
assert.ok(
@ -65,7 +68,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests[socks]==2.32.3"'
'uv pip install --system --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
);
assert.ok(
@ -77,7 +80,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install multiple packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests certifi urllib3"
"uv pip install --system --break-system-packages requests certifi urllib3 --safe-chain-logging=verbose"
);
assert.ok(
@ -94,7 +97,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages -r requirements.txt"
"uv pip install --system --break-system-packages -r requirements.txt --safe-chain-logging=verbose"
);
assert.ok(
@ -110,7 +113,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt");
const result = await shell.runCommand(
"uv pip sync --system --break-system-packages requirements-sync.txt"
"uv pip sync --system --break-system-packages requirements-sync.txt --safe-chain-logging=verbose"
);
assert.ok(
@ -149,7 +152,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from GitHub URL using the CA bundle`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -169,7 +172,7 @@ describe("E2E: uv coverage", () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages certifi"
"uv pip install --system --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -196,7 +199,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from direct HTTPS wheel URL`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
);
assert.ok(
@ -215,11 +218,13 @@ describe("E2E: uv coverage", () => {
const shell = await container.openShell("zsh");
// First install a package
await shell.runCommand("uv pip install --system --break-system-packages requests==2.31.0");
await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.31.0"
);
// Then upgrade it
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --upgrade requests"
"uv pip install --system --break-system-packages --upgrade requests --safe-chain-logging=verbose"
);
assert.ok(
@ -231,7 +236,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --no-deps flag`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --no-deps requests"
"uv pip install --system --break-system-packages --no-deps requests --safe-chain-logging=verbose"
);
assert.ok(
@ -245,11 +250,15 @@ describe("E2E: uv coverage", () => {
// Create a simple package structure
await shell.runCommand("mkdir -p /tmp/test-pkg");
await shell.runCommand("echo 'from setuptools import setup' > /tmp/test-pkg/setup.py");
await shell.runCommand("echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py");
await shell.runCommand(
"echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"
);
await shell.runCommand(
"echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"
);
const result = await shell.runCommand(
"uv pip install --system --break-system-packages -e /tmp/test-pkg"
"uv pip install --system --break-system-packages -e /tmp/test-pkg --safe-chain-logging=verbose"
);
assert.ok(
@ -264,9 +273,7 @@ describe("E2E: uv coverage", () => {
// Create an input requirements file
await shell.runCommand("echo 'requests' > requirements.in");
const result = await shell.runCommand(
"uv pip compile requirements.in"
);
const result = await shell.runCommand("uv pip compile requirements.in");
// uv pip compile doesn't install packages, just resolves dependencies
// It should complete successfully and output resolved requirements
@ -279,7 +286,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --index-url for alternate registry`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi"
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -310,7 +317,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version range constraint`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0"'
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0" --safe-chain-logging=verbose'
);
assert.ok(
@ -323,7 +330,9 @@ describe("E2E: uv coverage", () => {
const shell = await container.openShell("zsh");
// Install a package first
await shell.runCommand("uv pip install --system --break-system-packages requests");
await shell.runCommand(
"uv pip install --system --break-system-packages requests"
);
// Then list packages - this shouldn't trigger safe-chain scanning
const result = await shell.runCommand("uv pip list --system");
@ -340,7 +349,7 @@ describe("E2E: uv coverage", () => {
// Initialize a new uv project and add package in same command
const result = await shell.runCommand(
"uv init test-project && cd test-project && uv add requests"
"uv init test-project && cd test-project && uv add requests --safe-chain-logging=verbose"
);
assert.ok(
@ -356,7 +365,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("uv init test-project-version");
const result = await shell.runCommand(
"cd test-project-version && uv add requests==2.32.3"
"cd test-project-version && uv add requests==2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -372,7 +381,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("uv init test-project-dev");
const result = await shell.runCommand(
"cd test-project-dev && uv add --dev pytest"
"cd test-project-dev && uv add --dev pytest --safe-chain-logging=verbose"
);
assert.ok(
@ -388,7 +397,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("uv init test-project-multi");
const result = await shell.runCommand(
"cd test-project-multi && uv add requests certifi urllib3"
"cd test-project-multi && uv add requests certifi urllib3 --safe-chain-logging=verbose"
);
assert.ok(
@ -424,20 +433,19 @@ describe("E2E: uv coverage", () => {
it(`uv tool install installs a global tool`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv tool install ruff"
"uv tool install ruff --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found.") || result.output.includes("Installed"),
result.output.includes("no malware found.") ||
result.output.includes("Installed"),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`safe-chain blocks malicious packages via uv tool install`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv tool install safe-chain-pi-test"
);
const result = await shell.runCommand("uv tool install safe-chain-pi-test");
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
@ -453,10 +461,12 @@ describe("E2E: uv coverage", () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo 'import requests; print(requests.__version__)' > test_script.py");
await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > test_script.py"
);
const result = await shell.runCommand(
"uv run --with requests test_script.py"
"uv run --with requests test_script.py --safe-chain-logging=verbose"
);
assert.ok(
@ -486,7 +496,7 @@ describe("E2E: uv coverage", () => {
// Initialize a new uv project, add a dependency, remove venv, and sync in one command chain
const result = await shell.runCommand(
"uv init test-sync-project && cd test-sync-project && uv add requests && rm -rf .venv && uv sync"
"uv init test-sync-project && cd test-sync-project && uv add requests --safe-chain-logging=verbose && rm -rf .venv && uv sync --safe-chain-logging=verbose"
);
assert.ok(
@ -502,7 +512,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("uv init test-git-add");
const result = await shell.runCommand(
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3"
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -518,7 +528,7 @@ describe("E2E: uv coverage", () => {
await shell.runCommand("uv init test-optional");
const result = await shell.runCommand(
"cd test-optional && uv add --optional dev pytest"
"cd test-optional && uv add --optional dev pytest --safe-chain-logging=verbose"
);
assert.ok(
@ -532,10 +542,12 @@ describe("E2E: uv coverage", () => {
// Create requirements file and script
await shell.runCommand("echo 'requests' > run_requirements.txt");
await shell.runCommand("echo 'import requests; print(requests.__version__)' > run_script.py");
await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > run_script.py"
);
const result = await shell.runCommand(
"uv run --with-requirements run_requirements.txt run_script.py"
"uv run --with-requirements run_requirements.txt run_script.py --safe-chain-logging=verbose"
);
assert.ok(
@ -549,7 +561,7 @@ describe("E2E: uv coverage", () => {
// Initialize project with optional dependency and sync in one command chain
const result = await shell.runCommand(
"uv init test-extras && cd test-extras && uv add --optional dev pytest && uv sync --all-extras"
"uv init test-extras && cd test-extras && uv add --optional dev pytest --safe-chain-logging=verbose && uv sync --all-extras"
);
assert.ok(
@ -558,4 +570,3 @@ describe("E2E: uv coverage", () => {
);
});
});

4
test/e2e/yarn-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios");
const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/yarn.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios");
const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),