milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Another iteration

Browse source
This commit is contained in:
Reinier Criel 2025-11-06 10:26:26 -08:00
parent f400c5576a
commit 28d24bb6ea
12 changed files with 134 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

1
test/e2e/Dockerfile
View file

@ -53,6 +53,7 @@ RUN curl -fsSL https://bun.sh/install | bash
# Install Python and pip (pip3)
RUN apt-get update && apt-get install -y python${PYTHON_VERSION} python3-pip && \
ln -sf /usr/bin/python${PYTHON_VERSION} /usr/local/bin/python3 && \
ln -sf /usr/bin/python${PYTHON_VERSION} /usr/local/bin/python && \
ln -sf /usr/bin/pip3 /usr/local/bin/pip3
# Copy and install Safe chain

62
test/e2e/pip-ci.e2e.spec.js
View file

@ -35,6 +35,22 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
assert.ok(result.output.includes("hello"), `Output was: ${result.output}`);
assert.ok(!result.output.includes("Safe-chain"), "Safe Chain should not intercept generic python3 -c command");
});
it("does not intercept python3 test.py", async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("echo 'print(\"Hello from test.py!\")' > test.py");
const result = await shell.runCommand("python3 test.py");
assert.ok(result.output.includes("Hello from test.py!"), `Output was: ${result.output}`);
assert.ok(!result.output.includes("Safe-chain"), "Safe Chain should not intercept generic python3 script execution");
});
it("does not intercept python test.py", async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("echo 'print(\"Hello from test.py!\")' > test.py");
const result = await shell.runCommand("python test.py");
assert.ok(result.output.includes("Hello from test.py!"), `Output was: ${result.output}`);
assert.ok(!result.output.includes("Safe-chain"), "Safe Chain should not intercept generic python script execution");
});
});
for (let shell of ["bash", "zsh"]) {
@ -89,27 +105,6 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
);
});
it(`setup-ci routes python -m pip3 through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand("safe-chain setup-ci");
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.bashrc"
);
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python -m pip3 install --break-system-packages certifi"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not contain scan message. Output was:\n${result.output}`
);
});
it(`setup-ci routes python3 -m pip through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand("safe-chain setup-ci");
@ -131,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
);
});
it(`setup-ci routes python3 -m pip3 through safe-chain for ${shell}`, async () => {
it(`setup-ci routes pip through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand("safe-chain setup-ci");
await installationShell.runCommand(
@ -143,7 +138,28 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"python3 -m pip3 install --break-system-packages certifi"
"pip install --break-system-packages certifi"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not contain scan message. Output was:\n${result.output}`
);
});
it(`setup-ci routes pip3 through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand("safe-chain setup-ci");
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.bashrc"
);
const projectShell = await container.openShell(shell);
const result = await projectShell.runCommand(
"pip3 install --break-system-packages certifi"
);
assert.ok(

36
test/e2e/pip.e2e.spec.js
View file

@ -161,24 +161,6 @@ describe("E2E: pip coverage", () => {
);
});
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
@ -197,24 +179,6 @@ describe("E2E: pip coverage", () => {
);
});
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`pip3 can install from GitHub URL using the CA bundle`, async () => {
const shell = await container.openShell("zsh");
// Install a simple package from GitHub - this should use TCP tunnel, not MITM