milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add regular setup support

Browse source
This commit is contained in:
Reinier Criel 2026-04-10 12:09:40 -07:00
parent 1635bee387
commit 24af6f21eb
23 changed files with 575 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

35
test/e2e/bun.e2e.spec.js
View file

@ -78,4 +78,39 @@ describe("E2E: bun coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("bash");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious bun packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("bash");
const result = await shell.runCommand("bunx safe-chain-test");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

43
test/e2e/npm-ci.e2e.spec.js
View file

@ -102,4 +102,47 @@ describe("E2E: npm coverage using PATH", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
// Persist SAFE_CHAIN_DIR and the custom shims dir in .zshrc so new shells
// inherit both (shims need SAFE_CHAIN_DIR to strip themselves from PATH)
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious npm packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("npm i safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

35
test/e2e/npm.e2e.spec.js
View file

@ -119,4 +119,39 @@ describe("E2E: npm coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious npm packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("npm i safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

40
test/e2e/pip-ci.e2e.spec.js
View file

@ -204,4 +204,44 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
);
});
}
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand("pip3 cache purge");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("intercepts pip3 install when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Expected pip3 to be protected with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
});
});

36
test/e2e/pip.e2e.spec.js
View file

@ -844,4 +844,40 @@ describe("E2E: pip coverage", () => {
`python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("pip3 cache purge");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("intercepts pip3 install when scripts are in a custom directory", async () => {
// New shell sources ~/.zshrc → sources init-posix.sh from custom dir
// → defines pip3() shell function that routes through safe-chain
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Expected pip3 to be protected with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
});
});

35
test/e2e/pipx.e2e.spec.js
View file

@ -197,4 +197,39 @@ describe("E2E: pipx coverage", () => {
`Expected exit message. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pipx packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pipx install safe-chain-pi-test");
assert.ok(
result.output.includes("blocked by safe-chain"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

41
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -122,4 +122,45 @@ describe("E2E: pnpm coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pnpm packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pnpm add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

35
test/e2e/pnpm.e2e.spec.js
View file

@ -139,4 +139,39 @@ describe("E2E: pnpm coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious pnpm packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("pnpm add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

42
test/e2e/poetry.e2e.spec.js
View file

@ -422,4 +422,46 @@ describe("E2E: poetry coverage", () => {
`Expected env list output. Output was:\n${envListResult.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("command poetry cache clear pypi --all -n");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious poetry packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
await shell.runCommand("mkdir /tmp/test-poetry-custom-dir");
await shell.runCommand(
"cd /tmp/test-poetry-custom-dir && poetry init --no-interaction"
);
const result = await shell.runCommand(
"cd /tmp/test-poetry-custom-dir && poetry add safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked by safe-chain"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

51
test/e2e/safe-chain-dir.e2e.spec.js
View file

@ -64,6 +64,57 @@ describe("E2E: SAFE_CHAIN_DIR support", () => {
);
});
it("setup writes the custom path to ~/.bashrc when SAFE_CHAIN_DIR is set", async () => {
const shell = await container.openShell("bash");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup");
const result = await shell.runCommand("cat ~/.bashrc");
assert.ok(
result.output.includes(`source ${CUSTOM_DIR}/scripts/init-posix.sh`),
`Expected ~/.bashrc to contain custom scripts path. Output:\n${result.output}`
);
assert.ok(
!result.output.includes("source ~/.safe-chain/scripts/init-posix.sh"),
`Expected ~/.bashrc to NOT contain default path. Output:\n${result.output}`
);
});
it("setup with SAFE_CHAIN_DIR still protects npm in a new shell session", async () => {
// Run setup with the custom dir
const setupShell = await container.openShell("bash");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
// Open a fresh shell — it will source ~/.bashrc which sources init-posix.sh
// from the custom dir, defining the npm wrapper function
const projectShell = await container.openShell("bash");
await projectShell.runCommand("cd /testapp");
const result = await projectShell.runCommand(
"npm i axios@1.13.0 --safe-chain-logging=verbose"
);
// "Safe-chain: Package" appears before npm downloads — confirms interception happened
assert.ok(
result.output.includes("Safe-chain: Package"),
`Expected npm to be protected after setup with SAFE_CHAIN_DIR. Output:\n${result.output}`
);
});
it("teardown removes the custom SAFE_CHAIN_DIR source line from ~/.bashrc", async () => {
const shell = await container.openShell("bash");
await shell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await shell.runCommand("safe-chain setup");
await shell.runCommand("safe-chain teardown");
const result = await shell.runCommand("cat ~/.bashrc");
assert.ok(
!result.output.includes(`source ${CUSTOM_DIR}/scripts/init-posix.sh`),
`Expected custom source line to be removed from ~/.bashrc. Output:\n${result.output}`
);
});
it("safe-chain protects a non-root user when installed to a shared dir with SAFE_CHAIN_DIR", async () => {
// Step 1: create a non-root user inside the container
container.dockerExec("useradd -m safeuser");

39
test/e2e/uv.e2e.spec.js
View file

@ -569,4 +569,43 @@ describe("E2E: uv coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
await setupShell.runCommand("uv cache clean");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious uv packages when scripts are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
await shell.runCommand("uv init test-project-custom-dir");
const result = await shell.runCommand(
"cd test-project-custom-dir && uv add safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

41
test/e2e/yarn-ci.e2e.spec.js
View file

@ -84,4 +84,45 @@ describe("E2E: yarn coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup-ci");
await setupShell.runCommand(
`echo 'export SAFE_CHAIN_DIR=${CUSTOM_DIR}' >> ~/.zshrc`
);
await setupShell.runCommand(
`echo 'export PATH="${CUSTOM_DIR}/shims:$PATH"' >> ~/.zshrc`
);
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious yarn packages when shims are in a custom directory", async () => {
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("yarn add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});

39
test/e2e/yarn.e2e.spec.js
View file

@ -125,4 +125,43 @@ describe("E2E: yarn coverage", () => {
`Output did not include expected text. Output was:\n${result.output}`
);
});
describe("with SAFE_CHAIN_DIR (custom install directory)", () => {
const CUSTOM_DIR = "/usr/local/.safe-chain";
let customContainer;
beforeEach(async () => {
customContainer = new DockerTestContainer();
await customContainer.start();
// Run setup with the custom dir — init-posix.sh is copied to the custom
// scripts dir, and ~/.zshrc gets a source line pointing there
const setupShell = await customContainer.openShell("zsh");
await setupShell.runCommand(`export SAFE_CHAIN_DIR=${CUSTOM_DIR}`);
await setupShell.runCommand("safe-chain setup");
});
afterEach(async () => {
if (customContainer) {
await customContainer.stop();
customContainer = null;
}
});
it("blocks malicious yarn packages when scripts are in a custom directory", async () => {
// New shell sources ~/.zshrc → sources init-posix.sh from custom dir
// → defines yarn() shell function that routes through safe-chain
const shell = await customContainer.openShell("zsh");
const result = await shell.runCommand("yarn add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Expected malicious package to be blocked. Output:\n${result.output}`
);
});
});
});