milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #223 from AikidoSec/feature/combine-certs

Browse source 
Combine cert with NODE_EXTRA_CA_CERTS if it already exists
This commit is contained in:
Reinier Criel 2025-12-10 08:16:32 -08:00 committed by GitHub
commit 14bb6899d8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 759 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/safe-chain/src/packagemanager/pip/runPipCommand.js
View file

@ -93,7 +93,7 @@ export async function runPip(command, args) {
try {
const env = mergeSafeChainProxyEnvironmentVariables(process.env);
// Always provide Python with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots)
// Always provide Python with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots + user certs)
// so that any network request made by pip, including those outside explicit CLI args,
// validates correctly under both MITM'd and tunneled HTTPS.
const combinedCaPath = getCombinedCaBundlePath();

116
packages/safe-chain/src/registryProxy/certBundle.js
View file

@ -6,6 +6,7 @@ import certifi from "certifi";
import tls from "node:tls";
import { X509Certificate } from "node:crypto";
import { getCaCertPath } from "./certUtils.js";
import { ui } from "../environment/userInteraction.js";
/**
* Check if a PEM string contains only parsable cert blocks.
@ -14,6 +15,7 @@ import { getCaCertPath } from "./certUtils.js";
*/
function isParsable(pem) {
if (!pem || typeof pem !== "string") return false;
pem = normalizeLineEndings(pem);
const begin = "-----BEGIN CERTIFICATE-----";
const end = "-----END CERTIFICATE-----";
const blocks = [];
@ -41,20 +43,17 @@ function isParsable(pem) {
}
}
/** @type {string | null} */
let cachedPath = null;
/**
* Build a combined CA bundle for Python and Node HTTPS flows.
* - Includes Safe Chain CA (for MITM of known registries)
* - Includes Mozilla roots via npm `certifi` (public HTTPS)
* - Includes Node's built-in root certificates as a portable fallback
* Build a combined CA bundle.
* Automatically includes:
* - Safe Chain CA (for MITM of known registries)
* - Mozilla roots via certifi (for public HTTPS)
* - Node's built-in root certificates (fallback)
* - User's custom certificates (if NODE_EXTRA_CA_CERTS environment variable is set)
*
* @returns {string} Path to the combined CA bundle PEM file
*/
export function getCombinedCaBundlePath() {
if (cachedPath && fs.existsSync(cachedPath)) return cachedPath;
// Concatenate PEM files
const parts = [];
// 1) Safe Chain CA (for MITM'd registries)
@ -87,9 +86,96 @@ export function getCombinedCaBundlePath() {
// Ignore if unavailable
}
const combined = parts.filter(Boolean).join("\n");
const target = path.join(os.tmpdir(), "safe-chain-ca-bundle.pem");
fs.writeFileSync(target, combined, { encoding: "utf8" });
cachedPath = target;
return cachedPath;
// 4) User's NODE_EXTRA_CA_CERTS (if set)
const userCertPath = process.env.NODE_EXTRA_CA_CERTS;
if (userCertPath) {
const userPem = readUserCertificateFile(userCertPath);
if (userPem) {
parts.push(userPem.trim());
ui.writeVerbose(`Safe-chain: Merging user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
} else {
ui.writeWarning(`Safe-chain: Could not read or parse user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
}
}
const combined = parts.filter(Boolean).join("\n");
const target = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`);
fs.writeFileSync(target, combined, { encoding: "utf8" });
return target;
}
/**
* Normalize path
* @param {string} p - Path to normalize
* @returns {string}
*/
function normalizePathF(p) {
return p.replace(/\\/g, "/");
}
/**
* Normalize line endings to LF
* @param {string} text - Text with mixed line endings
* @returns {string}
*/
function normalizeLineEndings(text) {
return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
}
/**
* Read and validate user certificate file
* @param {string} certPath - Path to certificate file
* @returns {string | null} Certificate PEM content or null if invalid/unreadable
*/
function readUserCertificateFile(certPath) {
try {
// 1) Basic validation
if (typeof certPath !== "string" || certPath.trim().length === 0) {
return null;
}
// 2) Reject path traversal attempts (normalize backslashes first for Windows paths)
const normalizedPath = normalizePathF(certPath);
if (normalizedPath.includes("..")) {
return null;
}
// 3) Check if file exists and is not a directory or symlink
let stats;
try {
stats = fs.lstatSync(certPath);
} catch {
// File doesn't exist or can't be accessed
return null;
}
if (!stats.isFile()) {
// Reject directories and symlinks
return null;
}
// 4) Read file content
let content;
try {
content = fs.readFileSync(certPath, "utf8");
} catch {
return null;
}
if (!content || typeof content !== "string") {
return null;
}
// 5) Validate PEM format
if (!isParsable(content)) {
return null;
}
return content;
} catch {
// Silently fail on any errors
return null;
}
}

308
packages/safe-chain/src/registryProxy/certBundle.spec.js
View file

@ -15,6 +15,13 @@ function removeBundleIfExists() {
}
}
// Utility to get a valid PEM certificate for testing
function getValidCert() {
const cert = typeof tls.rootCertificates?.[0] === "string" ? tls.rootCertificates[0] : "";
assert.ok(cert.includes("BEGIN CERTIFICATE"), "Environment lacks Node root certificates for test");
return cert;
}
describe("certBundle.getCombinedCaBundlePath", () => {
beforeEach(() => {
mock.restoreAll();
@ -69,3 +76,304 @@ describe("certBundle.getCombinedCaBundlePath", () => {
assert.ok(!contents.includes(invalidMarker), "Bundle should not include invalid Safe Chain content");
});
});
describe("certBundle.getCombinedCaBundlePath with user certs", () => {
beforeEach(() => {
mock.restoreAll();
delete process.env.NODE_EXTRA_CA_CERTS;
});
it("returns a path with full CA bundle (Safe Chain + Mozilla + Node roots) when no user cert in env", async () => {
// Mock getCaCertPath to return valid cert
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain certificate blocks");
// Should include base bundle (Safe Chain + Mozilla/Node roots)
assert.ok(contents.length > 1000, "Bundle should be substantial with Mozilla/Node roots included");
});
it("merges user cert with full base bundle (Safe Chain CA + Mozilla + Node roots)", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
// Create Safe Chain CA
const safeChainPath = path.join(tmpDir, "safechain.pem");
const safeChainCert = getValidCert();
fs.writeFileSync(safeChainPath, safeChainCert, "utf8");
// Create user cert file
const userCertPath = path.join(tmpDir, "user-cert.pem");
const userCert = getValidCert();
fs.writeFileSync(userCertPath, userCert, "utf8");
process.env.NODE_EXTRA_CA_CERTS = userCertPath;
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Both certs should be in the bundle
const certCount = (contents.match(/-----BEGIN CERTIFICATE-----/g) || []).length;
assert.ok(certCount >= 2, "Bundle should contain both Safe Chain and user certificates");
});
it("ignores non-existent user cert path", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
process.env.NODE_EXTRA_CA_CERTS = "/nonexistent/path.pem";
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should still have Safe Chain CA
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
});
it("ignores invalid PEM user cert", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
const userCertPath = path.join(tmpDir, "invalid.pem");
fs.writeFileSync(userCertPath, "NOT A VALID PEM", "utf8");
process.env.NODE_EXTRA_CA_CERTS = userCertPath;
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should still have Safe Chain CA only
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
assert.ok(!contents.includes("NOT A VALID"), "Should not include invalid cert");
});
it("rejects user cert with path traversal attempts", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
process.env.NODE_EXTRA_CA_CERTS = "../../../etc/passwd";
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should only have Safe Chain CA, rejected the traversal path
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
});
it("rejects user cert with symlink", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
// Create a target file and a symlink to it
const targetCert = path.join(tmpDir, "target.pem");
fs.writeFileSync(targetCert, getValidCert(), "utf8");
const symlinkPath = path.join(tmpDir, "symlink.pem");
try {
fs.symlinkSync(targetCert, symlinkPath);
} catch {
// Skip test if symlinks are not supported (e.g., on Windows without admin)
return;
}
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
process.env.NODE_EXTRA_CA_CERTS = symlinkPath;
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should only have Safe Chain CA, symlinks are rejected
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
});
it("rejects user cert that is a directory", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
const certDir = path.join(tmpDir, "certs");
fs.mkdirSync(certDir);
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
process.env.NODE_EXTRA_CA_CERTS = certDir;
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should only have Safe Chain CA
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
});
it("handles empty string user cert path", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
process.env.NODE_EXTRA_CA_CERTS = " ";
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
});
it("accepts files with CRLF line endings (Windows-style)", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
// Create a real file with CRLF content to test Windows line ending support
const userCertPath = path.join(tmpDir, "user-cert-crlf.pem");
const userCert = getValidCert();
const certWithCRLF = userCert.replace(/\n/g, "\r\n");
fs.writeFileSync(userCertPath, certWithCRLF, "utf8");
process.env.NODE_EXTRA_CA_CERTS = userCertPath;
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
const certCount = (contents.match(/-----BEGIN CERTIFICATE-----/g) || []).length;
assert.ok(certCount >= 2, "Bundle should contain Safe Chain and user certificates with CRLF");
});
it("detects and handles Windows-style path syntax (drive letters and UNC)", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
// Test that Windows path syntax is recognized (even if files don't exist on macOS/Linux)
// These should gracefully fail (return Safe Chain CA only) rather than crash
const winPaths = [
"C:\\temp\\cert.pem",
"D:\\Users\\name\\certs\\ca.pem",
"\\\\server\\share\\cert.pem"
];
for (const winPath of winPaths) {
process.env.NODE_EXTRA_CA_CERTS = winPath;
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), `Bundle should exist for ${winPath}`);
const contents = fs.readFileSync(bundlePath, "utf8");
assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Should contain Safe Chain CA");
}
});
it("rejects path traversal with Windows-style paths (C:\\temp\\..\\etc\\passwd)", async () => {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "certtest-"));
const safeChainPath = path.join(tmpDir, "safechain.pem");
fs.writeFileSync(safeChainPath, getValidCert(), "utf8");
mock.module("./certUtils.js", {
namedExports: {
getCaCertPath: () => safeChainPath,
},
});
const { getCombinedCaBundlePath } = await import("./certBundle.js");
// Test various Windows-style traversal attempts
const traversalPaths = [
"C:\\temp\\..\\etc\\passwd",
"D:\\Users\\..\\..\\Windows\\System32",
"\\\\server\\share\\..\\admin",
"../../../etc/passwd", // Unix-style for comparison
];
// First, get baseline bundle without user certs to know expected cert count
delete process.env.NODE_EXTRA_CA_CERTS;
const baselineBundlePath = getCombinedCaBundlePath();
const baselineContents = fs.readFileSync(baselineBundlePath, "utf8");
const baselineCertCount = (baselineContents.match(/-----BEGIN CERTIFICATE-----/g) || []).length;
for (const badPath of traversalPaths) {
process.env.NODE_EXTRA_CA_CERTS = badPath;
const bundlePath = getCombinedCaBundlePath();
assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
const contents = fs.readFileSync(bundlePath, "utf8");
// Should contain base bundle (Safe Chain + Mozilla + Node roots) but NOT user cert
const certCount = (contents.match(/-----BEGIN CERTIFICATE-----/g) || []).length;
assert.strictEqual(certCount, baselineCertCount, `Traversal path ${badPath} should be rejected; base bundle only (no user cert added)`);
}
});
});

6
packages/safe-chain/src/registryProxy/registryProxy.js
View file

@ -2,7 +2,7 @@ import * as http from "http";
import { tunnelRequest } from "./tunnelRequestHandler.js";
import { mitmConnect } from "./mitmRequestHandler.js";
import { handleHttpProxyRequest } from "./plainHttpProxy.js";
import { getCaCertPath } from "./certUtils.js";
import { getCombinedCaBundlePath } from "./certBundle.js";
import { ui } from "../environment/userInteraction.js";
import chalk from "chalk";
import { createInterceptorForUrl } from "./interceptors/createInterceptorForEcoSystem.js";
@ -37,10 +37,12 @@ function getSafeChainProxyEnvironmentVariables() {
}
const proxyUrl = `http://localhost:${state.port}`;
const caCertPath = getCombinedCaBundlePath();
return {
HTTPS_PROXY: proxyUrl,
GLOBAL_AGENT_HTTP_PROXY: proxyUrl,
NODE_EXTRA_CA_CERTS: getCaCertPath(),
NODE_EXTRA_CA_CERTS: caCertPath,
};
}

347
test/e2e/certbundle.e2e.spec.js Normal file
View file

@ -0,0 +1,347 @@
import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";
describe("E2E: NODE_EXTRA_CA_CERTS merging", () => {
let container;
before(async () => {
DockerTestContainer.buildImage();
});
beforeEach(async () => {
// Run a new Docker container for each test
container = new DockerTestContainer();
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup");
});
afterEach(async () => {
// Stop and clean up the container after each test
if (container) {
await container.stop();
container = null;
}
});
it(`npm install works without NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
// Ensure NODE_EXTRA_CA_CERTS is not set
await shell.runCommand("unset NODE_EXTRA_CA_CERTS");
const result = await shell.runCommand("npm install axios");
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed without NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`npm install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
// Create a temporary valid certificate (using the system's Mozilla CA bundle)
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/valid-certs.pem");
// Verify the cert file was created
const { output: checkOutput } = await shell.runCommand("test -f /tmp/valid-certs.pem && echo exists");
assert.ok(
checkOutput.includes("exists"),
`Certificate file was not created at /tmp/valid-certs.pem`
);
// Set NODE_EXTRA_CA_CERTS and run npm install
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/valid-certs.pem npm install axios"
);
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with valid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`npm install works with non-existent NODE_EXTRA_CA_CERTS path`, async () => {
const shell = await container.openShell("zsh");
// Set NODE_EXTRA_CA_CERTS to a non-existent path
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/nonexistent-certs.pem" && npm install axios'
);
// Should still succeed - safe-chain should gracefully handle missing user certs
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with non-existent NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
// Should show a warning
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("Could not read"),
`Expected safe-chain warning about missing certs. Output was:\n${result.output}`
);
});
it(`npm install works with invalid (non-PEM) NODE_EXTRA_CA_CERTS`, async () => {
const shell = await container.openShell("zsh");
// Create an invalid certificate file (not valid PEM)
await shell.runCommand(
'echo "This is not a valid PEM certificate" > /tmp/invalid-certs.pem'
);
// Set NODE_EXTRA_CA_CERTS to invalid cert
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/invalid-certs.pem" && npm install axios'
);
// Should still succeed - safe-chain should skip invalid user certs
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with invalid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
// Should show a warning about invalid cert
assert.ok(
result.output.includes("Safe-chain") || result.output.includes("Could not read"),
`Expected safe-chain warning about invalid certs. Output was:\n${result.output}`
);
});
it(`npm install handles NODE_EXTRA_CA_CERTS with path traversal attempt`, async () => {
const shell = await container.openShell("zsh");
// Try to set NODE_EXTRA_CA_CERTS with path traversal
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/../../../etc/passwd" && npm install axios'
);
// Should still succeed - safe-chain should reject path traversal
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with path traversal NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`npm install handles empty NODE_EXTRA_CA_CERTS`, async () => {
const shell = await container.openShell("zsh");
// Create an empty certificate file
await shell.runCommand("touch /tmp/empty-certs.pem");
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/empty-certs.pem" && npm install axios'
);
// Should still succeed - empty file should be ignored gracefully
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with empty NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`npm install handles NODE_EXTRA_CA_CERTS pointing to a directory`, async () => {
const shell = await container.openShell("zsh");
// Create a directory instead of a file
await shell.runCommand("mkdir -p /tmp/cert-dir");
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/cert-dir" && npm install axios'
);
// Should still succeed - directory should be treated as invalid cert file
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed when NODE_EXTRA_CA_CERTS points to directory. Output was:\n${result.output}`
);
});
it(`npm install handles relative NODE_EXTRA_CA_CERTS path`, async () => {
const shell = await container.openShell("zsh");
// Create a cert file and try to reference it with relative path
await shell.runCommand(
"mkdir -p /tmp/cert-test && cp /etc/ssl/certs/ca-certificates.crt /tmp/cert-test/certs.pem"
);
const result = await shell.runCommand(
'cd /tmp/cert-test && export NODE_EXTRA_CA_CERTS="./certs.pem" && npm install axios'
);
// Should still succeed - relative paths should be resolved properly
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with relative NODE_EXTRA_CA_CERTS path. Output was:\n${result.output}`
);
});
it(`npm install handles absolute NODE_EXTRA_CA_CERTS path`, async () => {
const shell = await container.openShell("zsh");
// Create cert file with absolute path
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/absolute-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/absolute-certs.pem npm install axios"
);
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install failed with absolute NODE_EXTRA_CA_CERTS path. Output was:\n${result.output}`
);
});
it(`npm install with multiple packages still respects merged certificates`, async () => {
const shell = await container.openShell("zsh");
// Create valid cert
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/merge-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/merge-certs.pem npm install axios lodash"
);
assert.ok(
result.output.includes("added") || result.output.includes("up to date"),
`npm install with multiple packages failed. Output was:\n${result.output}`
);
});
it(`npm install correctly blocks malware even with merged certificates`, async () => {
const shell = await container.openShell("zsh");
// Create valid cert
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/secure-merge-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/secure-merge-certs.pem npm install safe-chain-test"
);
// Should block the malware package
assert.ok(
result.output.includes("Malicious") || result.output.includes("blocked"),
`Malware package should be blocked even with merged certificates. Output was:\n${result.output}`
);
});
it(`pip install works without NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
await shell.runCommand("unset NODE_EXTRA_CA_CERTS");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`pip3 install failed without NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`pip install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
// Create a temporary valid certificate
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/pip-valid-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/pip-valid-certs.pem pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`pip3 install failed with valid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`pip install handles non-existent NODE_EXTRA_CA_CERTS gracefully`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/nonexistent-pip-certs.pem" && pip3 install --break-system-packages requests'
);
// Should still work - gracefully handle missing user certs
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`pip3 install failed with non-existent NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`pip install handles invalid NODE_EXTRA_CA_CERTS gracefully`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
// Create invalid cert
await shell.runCommand(
'echo "invalid certificate content" > /tmp/pip-invalid-certs.pem'
);
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/pip-invalid-certs.pem" && pip3 install --break-system-packages requests'
);
// Should still work - skip invalid user certs
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`pip3 install failed with invalid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`yarn install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
// Create valid cert
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/yarn-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/yarn-certs.pem yarn add axios"
);
assert.ok(
!result.output.toLowerCase().includes("error") || result.output.includes("Done"),
`yarn add failed with valid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`pnpm install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
// Create valid cert
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/pnpm-certs.pem");
const result = await shell.runCommand(
"NODE_EXTRA_CA_CERTS=/tmp/pnpm-certs.pem pnpm add axios"
);
assert.ok(
!result.output.toLowerCase().includes("error") || result.output.includes("Progress"),
`pnpm add failed with valid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
it(`bun install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("bash");
// Create valid cert and run bun in the same command to ensure file exists
const result = await shell.runCommand(
"cp /etc/ssl/certs/ca-certificates.crt /tmp/bun-certs.pem && NODE_EXTRA_CA_CERTS=/tmp/bun-certs.pem bun i axios"
);
assert.ok(
!result.output.toLowerCase().includes("error") || result.output.includes("installed"),
`bun i failed with valid NODE_EXTRA_CA_CERTS. Output was:\n${result.output}`
);
});
});