milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #224 from AikidoSec/only-audit-stats-in-verbose

Browse source 
Log audit stats as verbose, not as information
This commit is contained in:
bitterpanda 2025-12-08 11:56:55 +01:00 committed by GitHub
commit 0931b6a5fe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 273 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

3
packages/safe-chain/src/main.js
View file

@ -64,8 +64,7 @@ export async function main(args) {
const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) {
ui.emptyLine();
ui.writeInformation(
ui.writeVerbose(
`${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.totalPackages
} packages, no malware found.`

4
test/e2e/bun.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: bun coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("bash");
const result = await shell.runCommand("bun i axios");
const result = await shell.runCommand(
"bun i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/npm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: npm coverage using PATH", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios");
const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/npm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: npm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("npm i axios");
const result = await shell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

12
test/e2e/pip-ci.e2e.spec.js
View file

@ -12,7 +12,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
beforeEach(async () => {
container = new DockerTestContainer();
await container.start();
// Clear pip cache before each test to ensure fresh downloads through proxy
const shell = await container.openShell("zsh");
await shell.runCommand("pip3 cache purge");
@ -100,7 +100,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
// Use --break-system-packages to avoid Debian/Ubuntu external management restrictions
const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("no malware found.");
@ -126,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python -m pip install --break-system-packages certifi"
"python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -149,7 +149,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python3 -m pip install --break-system-packages certifi"
"python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -172,7 +172,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"pip install --break-system-packages certifi"
"pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -195,7 +195,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(

268
test/e2e/pip.e2e.spec.js
View file

@ -16,7 +16,7 @@ describe("E2E: pip coverage", () => {
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
// Clear pip cache before each test to ensure fresh downloads through proxy
await installationShell.runCommand("pip3 cache purge");
});
@ -32,7 +32,7 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
"pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -43,7 +43,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 download`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 download requests");
const result = await shell.runCommand(
"pip3 download requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -53,7 +55,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 .whl`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 wheel requests");
const result = await shell.runCommand(
"pip3 wheel requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -64,7 +68,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests"
"pip3 install --dry-run --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -76,7 +80,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"'
'pip3 install --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
);
assert.ok(
@ -88,7 +92,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2" --safe-chain-logging=verbose'
);
assert.ok(
@ -100,7 +104,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
"python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -111,7 +115,9 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m pip download requests");
const result = await shell.runCommand(
"python3 -m pip download requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
@ -148,7 +154,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
"python -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -166,7 +172,7 @@ describe("E2E: pip coverage", () => {
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
"python -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -184,7 +190,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
"python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -202,7 +208,7 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
"python3 -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -222,7 +228,7 @@ describe("E2E: pip coverage", () => {
// Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing
const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -248,7 +254,7 @@ describe("E2E: pip coverage", () => {
it(`pip3 successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -276,7 +282,7 @@ describe("E2E: pip coverage", () => {
// Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
);
assert.ok(
@ -299,7 +305,7 @@ describe("E2E: pip coverage", () => {
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -336,22 +342,20 @@ describe("E2E: pip coverage", () => {
it(`pip3 config set should work and persist configuration`, async () => {
const shell = await container.openShell("zsh");
// Set a config value
const setResult = await shell.runCommand(
"pip3 config set global.timeout 60"
);
assert.ok(
setResult.output.includes("Writing to"),
`pip3 config set should write config. Output was:\n${setResult.output}`
);
// Verify it was persisted by reading it back
const getResult = await shell.runCommand(
"pip3 config get global.timeout"
);
const getResult = await shell.runCommand("pip3 config get global.timeout");
assert.ok(
getResult.output.includes("60"),
`Config value should be 60. Output was:\n${getResult.output}`
@ -360,13 +364,13 @@ describe("E2E: pip coverage", () => {
it(`pip3 config list should show user configuration`, async () => {
const shell = await container.openShell("zsh");
// Set a value first
await shell.runCommand("pip3 config set global.timeout 90");
// List config
const listResult = await shell.runCommand("pip3 config list");
assert.ok(
listResult.output.includes("timeout") && listResult.output.includes("90"),
`Config list should show timeout=90. Output was:\n${listResult.output}`
@ -375,16 +379,18 @@ describe("E2E: pip coverage", () => {
it(`pip3 config unset should remove configuration`, async () => {
const shell = await container.openShell("zsh");
// Set a value
await shell.runCommand("pip3 config set global.timeout 120");
// Verify it exists
const getResult = await shell.runCommand("pip3 config get global.timeout");
assert.ok(getResult.output.includes("120"));
// Unset it
const unsetResult = await shell.runCommand("pip3 config unset global.timeout");
const unsetResult = await shell.runCommand(
"pip3 config unset global.timeout"
);
assert.ok(
unsetResult.output.includes("Writing to"),
`pip3 config unset should write config. Output was:\n${unsetResult.output}`
@ -393,9 +399,9 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache dir should return cache directory path`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 cache dir");
// Should output a directory path
assert.ok(
result.output.includes("/") && result.output.includes("cache"),
@ -405,12 +411,12 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache info should show cache information`, async () => {
const shell = await container.openShell("zsh");
// Install something first to populate cache
await shell.runCommand("pip3 install --break-system-packages certifi");
const result = await shell.runCommand("pip3 cache info");
// Output should contain cache-related information
assert.ok(
result.output.match(/cache|wheel|http/i),
@ -420,30 +426,31 @@ describe("E2E: pip coverage", () => {
it(`pip3 cache list should list cached packages`, async () => {
const shell = await container.openShell("zsh");
// Download a package to ensure something is in cache
await shell.runCommand("pip3 download certifi");
const result = await shell.runCommand("pip3 cache list certifi");
// Should show either cached wheels or "No locally built wheels"
assert.ok(
result.output.includes("certifi") || result.output.includes("No locally built"),
result.output.includes("certifi") ||
result.output.includes("No locally built"),
`Should output cache list information. Output was:\n${result.output}`
);
});
it(`pip3 debug should output debug information`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 debug");
// Should contain debug information about pip environment
assert.ok(
result.output.match(/pip version|sys\.version|sys\.executable/i),
`Should output debug information. Output was:\n${result.output}`
);
// Should NOT show safe-chain's temporary config file in the debug output
assert.ok(
!result.output.includes("safe-chain-pip-"),
@ -453,34 +460,36 @@ describe("E2E: pip coverage", () => {
it(`pip3 completion should generate shell completion script`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 completion --zsh");
// Should output shell completion code
assert.ok(
result.output.includes("compdef") || result.output.includes("_pip") || result.output.includes("pip completion"),
result.output.includes("compdef") ||
result.output.includes("_pip") ||
result.output.includes("pip completion"),
`Should output completion code. Output was:\n${result.output}`
);
});
it(`pip3 install still works after config operations`, async () => {
const shell = await container.openShell("zsh");
// Perform config operations
await shell.runCommand("pip3 config set global.timeout 60");
await shell.runCommand("pip3 cache dir");
// Now install should still work with malware protection
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Install should succeed after config operations. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("no malware found."),
`Should still scan for malware. Output was:\n${result.output}`
@ -489,14 +498,16 @@ describe("E2E: pip coverage", () => {
it(`pip3 download works after configuring pip settings`, async () => {
const shell = await container.openShell("zsh");
// Configure pip with timeout and extra index URL
const configTimeout = await shell.runCommand("pip3 config set global.timeout 60");
const configTimeout = await shell.runCommand(
"pip3 config set global.timeout 60"
);
assert.ok(
configTimeout.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configTimeout.output}`
);
const configIndex = await shell.runCommand(
"pip3 config set global.extra-index-url https://pypi.org/simple"
);
@ -504,7 +515,7 @@ describe("E2E: pip coverage", () => {
configIndex.output.includes("Writing to"),
`Config set should succeed. Output was:\n${configIndex.output}`
);
// Verify config persisted
const listConfig = await shell.runCommand("pip3 config list");
assert.ok(
@ -512,23 +523,25 @@ describe("E2E: pip coverage", () => {
`Config should show timeout=60. Output was:\n${listConfig.output}`
);
assert.ok(
listConfig.output.includes("extra-index-url") && listConfig.output.includes("pypi.org"),
listConfig.output.includes("extra-index-url") &&
listConfig.output.includes("pypi.org"),
`Config should show extra-index-url. Output was:\n${listConfig.output}`
);
// Now download packages with the configured settings
const downloadResult = await shell.runCommand(
"pip3 download -d /tmp/packages requests certifi"
"pip3 download -d /tmp/packages requests certifi --safe-chain-logging=verbose"
);
assert.ok(
downloadResult.output.includes("no malware found."),
`Should scan for malware. Output was:\n${downloadResult.output}`
);
// Verify downloads succeeded
assert.ok(
downloadResult.output.includes("Saved") || downloadResult.output.includes("requests"),
downloadResult.output.includes("Saved") ||
downloadResult.output.includes("requests"),
`Download should succeed with configured settings. Output was:\n${downloadResult.output}`
);
assert.ok(
@ -538,17 +551,17 @@ describe("E2E: pip coverage", () => {
});
// Tests for python/python3 bypass (non-pip invocations should go directly without safe-chain)
it(`python3 --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 --version");
// Should output Python version
assert.ok(
result.output.match(/Python 3\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}`
);
// Should NOT go through safe-chain proxy
assert.ok(
!result.output.includes("Safe-chain"),
@ -559,13 +572,13 @@ describe("E2E: pip coverage", () => {
it(`python --version should bypass safe-chain and work normally`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python --version");
// Should output Python version
assert.ok(
result.output.match(/Python \d+\.\d+\.\d+/),
`Should output Python version. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -575,14 +588,16 @@ describe("E2E: pip coverage", () => {
it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -c \"print('hello world')\"");
const result = await shell.runCommand(
"python3 -c \"print('hello world')\""
);
// Should execute Python code
assert.ok(
result.output.includes("hello world"),
`Should execute Python code. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -592,14 +607,16 @@ describe("E2E: pip coverage", () => {
it(`python -c should bypass safe-chain and execute code`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python -c \"import sys; print(sys.version)\"");
const result = await shell.runCommand(
'python -c "import sys; print(sys.version)"'
);
// Should execute Python code and print version
assert.ok(
result.output.match(/\d+\.\d+\.\d+/),
`Should execute Python code. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -609,18 +626,20 @@ describe("E2E: pip coverage", () => {
it(`python3 script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py");
await shell.runCommand(
"echo \"print('script executed')\" > /tmp/test_script.py"
);
const result = await shell.runCommand("python3 /tmp/test_script.py");
// Should execute the script
assert.ok(
result.output.includes("script executed"),
`Should execute Python script. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -630,18 +649,20 @@ describe("E2E: pip coverage", () => {
it(`python script.py should bypass safe-chain and execute script`, async () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py");
await shell.runCommand(
"echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"
);
const result = await shell.runCommand("python /tmp/test_script2.py");
// Should execute the script
assert.ok(
result.output.includes("python2/3 compatible"),
`Should execute Python script. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -651,16 +672,18 @@ describe("E2E: pip coverage", () => {
it(`python3 -m json.tool should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh");
// json.tool is a built-in Python module for formatting JSON
const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool");
const result = await shell.runCommand(
"echo '{\"test\": 123}' | python3 -m json.tool"
);
// Should format JSON
assert.ok(
result.output.includes('"test"') && result.output.includes('123'),
result.output.includes('"test"') && result.output.includes("123"),
`Should format JSON. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -670,36 +693,40 @@ describe("E2E: pip coverage", () => {
it(`python3 -m http.server should bypass safe-chain (module other than pip)`, async () => {
const shell = await container.openShell("zsh");
// Start http.server in background and kill it immediately
// We just want to verify it starts without safe-chain interference
const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true");
const result = await shell.runCommand(
"timeout 1 python3 -m http.server 8999 || true"
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
`python3 -m http.server should not go through safe-chain. Output was:\n${result.output}`
);
// Should either start the server or timeout (both are success for bypass test)
assert.ok(
result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined,
result.output.includes("Serving HTTP") ||
result.output === "" ||
result.exitCode !== undefined,
`Should attempt to start server. Output was:\n${result.output}`
);
});
it(`python3 interactive mode should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh");
// Run python3 with a command piped to stdin to simulate interactive mode
const result = await shell.runCommand("echo 'print(2+2)' | python3");
// Should execute the command
assert.ok(
result.output.includes("4"),
`Should execute Python interactively. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -709,10 +736,10 @@ describe("E2E: pip coverage", () => {
it(`python3 with no arguments should bypass safe-chain`, async () => {
const shell = await container.openShell("zsh");
// Python with no args goes to interactive REPL, pipe exit command
const result = await shell.runCommand("echo 'exit()' | python3");
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -722,17 +749,19 @@ describe("E2E: pip coverage", () => {
it(`python3 -m venv should bypass safe-chain (venv module)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m venv /tmp/test_venv");
// Should create venv without safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
`python3 -m venv should not go through safe-chain. Output was:\n${result.output}`
);
// Verify venv was created
const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'");
const checkVenv = await shell.runCommand(
"test -f /tmp/test_venv/bin/python3 && echo 'exists'"
);
assert.ok(
checkVenv.output.includes("exists"),
`venv should be created. Output was:\n${checkVenv.output}`
@ -741,10 +770,12 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pytest should bypass safe-chain (pytest module)`, async () => {
const shell = await container.openShell("zsh");
// pytest may not be installed, but the bypass should work regardless
const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true");
const result = await shell.runCommand(
"python3 -m pytest --version 2>&1 || true"
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -754,15 +785,15 @@ describe("E2E: pip coverage", () => {
it(`python3 -m site should bypass safe-chain (site module)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("python3 -m site");
// Should output site information
assert.ok(
result.output.includes("sys.path") || result.output.includes("USER_BASE"),
`Should output site information. Output was:\n${result.output}`
);
// Should NOT go through safe-chain
assert.ok(
!result.output.includes("Safe-chain"),
@ -771,16 +802,17 @@ describe("E2E: pip coverage", () => {
});
// Verify that -m pip* still goes through safe-chain (sanity check)
it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages certifi"
"python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
);
});
@ -788,12 +820,13 @@ describe("E2E: pip coverage", () => {
it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages certifi"
"python3 -m pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
);
});
@ -801,12 +834,13 @@ describe("E2E: pip coverage", () => {
it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip install --break-system-packages certifi"
"python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
);
// SHOULD go through safe-chain
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("no malware found"),
result.output.includes("Safe-chain") ||
result.output.includes("no malware found"),
`python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
);
});

4
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios");
const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/pnpm.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: pnpm coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpm add axios");
const result = await shell.runCommand(
"pnpm add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

6
test/e2e/safe-chain-cli-python.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
const shell = await container.openShell("zsh");
// Invoke safe-chain directly with pip3 command
const result = await shell.runCommand(
"safe-chain pip3 install --break-system-packages requests"
"safe-chain pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -48,7 +48,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 -m pip install routes through proxy", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"safe-chain python3 -m pip install --break-system-packages requests"
"safe-chain python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -59,7 +59,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
it("safe-chain python3 script.py bypasses proxy", async () => {
const shell = await container.openShell("zsh");
// Create a simple script
await shell.runCommand("echo \"print('direct execution')\" > /tmp/test.py");

4
test/e2e/setup-ci.e2e.spec.js
View file

@ -39,7 +39,9 @@ describe("E2E: safe-chain setup-ci command", () => {
);
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand("npm i axios");
const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok(

4
test/e2e/setup.teardown.e2e.spec.js
View file

@ -29,7 +29,9 @@ describe("E2E: safe-chain setup command", () => {
const projectShell = await container.openShell(shell);
await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand("npm i axios");
const result = await projectShell.runCommand(
"npm i axios --safe-chain-logging=verbose"
);
const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
assert.ok(

162
test/e2e/uv.e2e.spec.js
View file

@ -16,7 +16,7 @@ describe("E2E: uv coverage", () => {
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
// Clear uv cache
await installationShell.runCommand("uv cache clean");
});
@ -32,7 +32,7 @@ describe("E2E: uv coverage", () => {
it(`successfully installs known safe packages with uv pip install`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests"
"uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
@ -44,7 +44,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with specific version`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.32.3"
"uv pip install --system --break-system-packages requests==2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -56,7 +56,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version specifiers (>=)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "Jinja2>=3.1"'
'uv pip install --system --break-system-packages "Jinja2>=3.1" --safe-chain-logging=verbose'
);
assert.ok(
@ -68,7 +68,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests[socks]==2.32.3"'
'uv pip install --system --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
);
assert.ok(
@ -80,7 +80,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install multiple packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests certifi urllib3"
"uv pip install --system --break-system-packages requests certifi urllib3 --safe-chain-logging=verbose"
);
assert.ok(
@ -91,13 +91,13 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from requirements file`, async () => {
const shell = await container.openShell("zsh");
// Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements.txt");
await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages -r requirements.txt"
"uv pip install --system --break-system-packages -r requirements.txt --safe-chain-logging=verbose"
);
assert.ok(
@ -108,12 +108,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip sync with requirements file`, async () => {
const shell = await container.openShell("zsh");
// Create a requirements.txt file
await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt");
const result = await shell.runCommand(
"uv pip sync --system --break-system-packages requirements-sync.txt"
"uv pip sync --system --break-system-packages requirements-sync.txt --safe-chain-logging=verbose"
);
assert.ok(
@ -124,7 +124,7 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks installation of malicious Python packages via uv`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages safe-chain-pi-test"
);
@ -152,7 +152,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from GitHub URL using the CA bundle`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
"uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -170,9 +170,9 @@ describe("E2E: uv coverage", () => {
it(`uv pip successfully validates certificates for HTTPS downloads`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages certifi"
"uv pip install --system --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -199,7 +199,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install from direct HTTPS wheel URL`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
"uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
);
assert.ok(
@ -216,13 +216,15 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --upgrade flag`, async () => {
const shell = await container.openShell("zsh");
// First install a package
await shell.runCommand("uv pip install --system --break-system-packages requests==2.31.0");
await shell.runCommand(
"uv pip install --system --break-system-packages requests==2.31.0"
);
// Then upgrade it
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --upgrade requests"
"uv pip install --system --break-system-packages --upgrade requests --safe-chain-logging=verbose"
);
assert.ok(
@ -234,7 +236,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --no-deps flag`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --no-deps requests"
"uv pip install --system --break-system-packages --no-deps requests --safe-chain-logging=verbose"
);
assert.ok(
@ -245,14 +247,18 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --editable flag from local directory`, async () => {
const shell = await container.openShell("zsh");
// Create a simple package structure
await shell.runCommand("mkdir -p /tmp/test-pkg");
await shell.runCommand("echo 'from setuptools import setup' > /tmp/test-pkg/setup.py");
await shell.runCommand("echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py");
await shell.runCommand(
"echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"
);
await shell.runCommand(
"echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"
);
const result = await shell.runCommand(
"uv pip install --system --break-system-packages -e /tmp/test-pkg"
"uv pip install --system --break-system-packages -e /tmp/test-pkg --safe-chain-logging=verbose"
);
assert.ok(
@ -263,13 +269,11 @@ describe("E2E: uv coverage", () => {
it(`uv pip compile creates locked requirements`, async () => {
const shell = await container.openShell("zsh");
// Create an input requirements file
await shell.runCommand("echo 'requests' > requirements.in");
const result = await shell.runCommand(
"uv pip compile requirements.in"
);
const result = await shell.runCommand("uv pip compile requirements.in");
// uv pip compile doesn't install packages, just resolves dependencies
// It should complete successfully and output resolved requirements
@ -282,7 +286,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with --index-url for alternate registry`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi"
"uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
);
assert.ok(
@ -303,7 +307,7 @@ describe("E2E: uv coverage", () => {
const result = await shell.runCommand(
"uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
@ -313,7 +317,7 @@ describe("E2E: uv coverage", () => {
it(`uv pip install with version range constraint`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0"'
'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0" --safe-chain-logging=verbose'
);
assert.ok(
@ -324,10 +328,12 @@ describe("E2E: uv coverage", () => {
it(`uv pip list shows installed packages`, async () => {
const shell = await container.openShell("zsh");
// Install a package first
await shell.runCommand("uv pip install --system --break-system-packages requests");
await shell.runCommand(
"uv pip install --system --break-system-packages requests"
);
// Then list packages - this shouldn't trigger safe-chain scanning
const result = await shell.runCommand("uv pip list --system");
@ -340,10 +346,10 @@ describe("E2E: uv coverage", () => {
it(`uv add installs package and updates project`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project and add package in same command
const result = await shell.runCommand(
"uv init test-project && cd test-project && uv add requests"
"uv init test-project && cd test-project && uv add requests --safe-chain-logging=verbose"
);
assert.ok(
@ -354,12 +360,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with specific version`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-project-version");
const result = await shell.runCommand(
"cd test-project-version && uv add requests==2.32.3"
"cd test-project-version && uv add requests==2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -370,12 +376,12 @@ describe("E2E: uv coverage", () => {
it(`uv add --dev for development dependencies`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-project-dev");
const result = await shell.runCommand(
"cd test-project-dev && uv add --dev pytest"
"cd test-project-dev && uv add --dev pytest --safe-chain-logging=verbose"
);
assert.ok(
@ -386,12 +392,12 @@ describe("E2E: uv coverage", () => {
it(`uv add multiple packages at once`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-project-multi");
const result = await shell.runCommand(
"cd test-project-multi && uv add requests certifi urllib3"
"cd test-project-multi && uv add requests certifi urllib3 --safe-chain-logging=verbose"
);
assert.ok(
@ -402,10 +408,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv add`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-project-malware");
const result = await shell.runCommand(
"cd test-project-malware && uv add safe-chain-pi-test"
);
@ -427,20 +433,19 @@ describe("E2E: uv coverage", () => {
it(`uv tool install installs a global tool`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv tool install ruff"
"uv tool install ruff --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found.") || result.output.includes("Installed"),
result.output.includes("no malware found.") ||
result.output.includes("Installed"),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`safe-chain blocks malicious packages via uv tool install`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"uv tool install safe-chain-pi-test"
);
const result = await shell.runCommand("uv tool install safe-chain-pi-test");
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
@ -454,12 +459,14 @@ describe("E2E: uv coverage", () => {
it(`uv run --with installs ephemeral dependency`, async () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo 'import requests; print(requests.__version__)' > test_script.py");
await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > test_script.py"
);
const result = await shell.runCommand(
"uv run --with requests test_script.py"
"uv run --with requests test_script.py --safe-chain-logging=verbose"
);
assert.ok(
@ -470,10 +477,10 @@ describe("E2E: uv coverage", () => {
it(`safe-chain blocks malicious packages via uv run --with`, async () => {
const shell = await container.openShell("zsh");
// Create a simple Python script
await shell.runCommand("echo 'print(\"test\")' > test_script2.py");
const result = await shell.runCommand(
"uv run --with safe-chain-pi-test test_script2.py"
);
@ -486,10 +493,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync syncs project dependencies`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project, add a dependency, remove venv, and sync in one command chain
const result = await shell.runCommand(
"uv init test-sync-project && cd test-sync-project && uv add requests && rm -rf .venv && uv sync"
"uv init test-sync-project && cd test-sync-project && uv add requests --safe-chain-logging=verbose && rm -rf .venv && uv sync --safe-chain-logging=verbose"
);
assert.ok(
@ -500,12 +507,12 @@ describe("E2E: uv coverage", () => {
it(`uv add from git URL`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-git-add");
const result = await shell.runCommand(
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3"
"cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
);
assert.ok(
@ -516,12 +523,12 @@ describe("E2E: uv coverage", () => {
it(`uv add with --optional group`, async () => {
const shell = await container.openShell("zsh");
// Initialize a new uv project
await shell.runCommand("uv init test-optional");
const result = await shell.runCommand(
"cd test-optional && uv add --optional dev pytest"
"cd test-optional && uv add --optional dev pytest --safe-chain-logging=verbose"
);
assert.ok(
@ -532,13 +539,15 @@ describe("E2E: uv coverage", () => {
it(`uv run --with-requirements installs from requirements file`, async () => {
const shell = await container.openShell("zsh");
// Create requirements file and script
await shell.runCommand("echo 'requests' > run_requirements.txt");
await shell.runCommand("echo 'import requests; print(requests.__version__)' > run_script.py");
await shell.runCommand(
"echo 'import requests; print(requests.__version__)' > run_script.py"
);
const result = await shell.runCommand(
"uv run --with-requirements run_requirements.txt run_script.py"
"uv run --with-requirements run_requirements.txt run_script.py --safe-chain-logging=verbose"
);
assert.ok(
@ -549,10 +558,10 @@ describe("E2E: uv coverage", () => {
it(`uv sync --all-extras syncs all optional dependencies`, async () => {
const shell = await container.openShell("zsh");
// Initialize project with optional dependency and sync in one command chain
const result = await shell.runCommand(
"uv init test-extras && cd test-extras && uv add --optional dev pytest && uv sync --all-extras"
"uv init test-extras && cd test-extras && uv add --optional dev pytest --safe-chain-logging=verbose && uv sync --all-extras"
);
assert.ok(
@ -561,4 +570,3 @@ describe("E2E: uv coverage", () => {
);
});
});

4
test/e2e/yarn-ci.e2e.spec.js
View file

@ -33,7 +33,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios");
const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),

4
test/e2e/yarn.e2e.spec.js
View file

@ -28,7 +28,9 @@ describe("E2E: yarn coverage", () => {
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add axios");
const result = await shell.runCommand(
"yarn add axios --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),