milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #93 from AikidoSec/bun-wrapper

Browse source 
Wrap bun with safe-chain to block downloads of packages with malware
This commit is contained in:
Sander Declerck 2025-10-08 16:27:56 +02:00 committed by GitHub
commit 329405e8f2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 181 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
packages/safe-chain/bin/aikido-bun.js Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env node
import { main } from "../src/main.js";
import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
const packageManagerName = "bun";
initializePackageManager(packageManagerName);
var exitCode = await main(process.argv.slice(2));
process.exit(exitCode);

10
packages/safe-chain/bin/aikido-bunx.js Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env node
import { main } from "../src/main.js";
import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
const packageManagerName = "bunx";
initializePackageManager(packageManagerName);
var exitCode = await main(process.argv.slice(2));
process.exit(exitCode);

2
packages/safe-chain/package.json
View file

@ -12,6 +12,8 @@
"aikido-yarn": "bin/aikido-yarn.js", "aikido-yarn": "bin/aikido-yarn.js",
"aikido-pnpm": "bin/aikido-pnpm.js", "aikido-pnpm": "bin/aikido-pnpm.js",
"aikido-pnpx": "bin/aikido-pnpx.js", "aikido-pnpx": "bin/aikido-pnpx.js",
"aikido-bun": "bin/aikido-bun.js",
"aikido-bunx": "bin/aikido-bunx.js",
"safe-chain": "bin/safe-chain.js" "safe-chain": "bin/safe-chain.js"
}, },
"type": "module", "type": "module",

42
packages/safe-chain/src/packagemanager/bun/createBunPackageManager.js Normal file
View file

@ -0,0 +1,42 @@
import { ui } from "../../environment/userInteraction.js";
import { safeSpawn } from "../../utils/safeSpawn.js";
import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
export function createBunPackageManager() {
return {
runCommand: (args) => runBunCommand("bun", args),
// For bun, we use the proxy-only approach to block package downloads,
// so we don't need to analyze commands.
isSupportedCommand: () => false,
getDependencyUpdatesForCommand: () => [],
};
}
export function createBunxPackageManager() {
return {
runCommand: (args) => runBunCommand("bunx", args),
// For bunx, we use the proxy-only approach to block package downloads,
// so we don't need to analyze commands.
isSupportedCommand: () => false,
getDependencyUpdatesForCommand: () => [],
};
}
async function runBunCommand(command, args) {
try {
const result = await safeSpawn(command, args, {
stdio: "inherit",
env: mergeSafeChainProxyEnvironmentVariables(process.env),
});
return { status: result.status };
} catch (error) {
if (error.status) {
return { status: error.status };
} else {
ui.writeError("Error executing command:", error.message);
return { status: 1 };
}
}
}

8
packages/safe-chain/src/packagemanager/currentPackageManager.js
View file

@ -1,3 +1,7 @@
import {
createBunPackageManager,
createBunxPackageManager,
} from "./bun/createBunPackageManager.js";
import { createNpmPackageManager } from "./npm/createPackageManager.js"; import { createNpmPackageManager } from "./npm/createPackageManager.js";
import { createNpxPackageManager } from "./npx/createPackageManager.js"; import { createNpxPackageManager } from "./npx/createPackageManager.js";
import { import {
@ -21,6 +25,10 @@ export function initializePackageManager(packageManagerName, version) {
state.packageManagerName = createPnpmPackageManager(); state.packageManagerName = createPnpmPackageManager();
} else if (packageManagerName === "pnpx") { } else if (packageManagerName === "pnpx") {
state.packageManagerName = createPnpxPackageManager(); state.packageManagerName = createPnpxPackageManager();
} else if (packageManagerName === "bun") {
state.packageManagerName = createBunPackageManager();
} else if (packageManagerName === "bunx") {
state.packageManagerName = createBunxPackageManager();
} else { } else {
throw new Error("Unsupported package manager: " + packageManagerName); throw new Error("Unsupported package manager: " + packageManagerName);
} }

5
packages/safe-chain/src/shell-integration/helpers.js
View file

@ -9,8 +9,9 @@ export const knownAikidoTools = [
{ tool: "yarn", aikidoCommand: "aikido-yarn" }, { tool: "yarn", aikidoCommand: "aikido-yarn" },
{ tool: "pnpm", aikidoCommand: "aikido-pnpm" }, { tool: "pnpm", aikidoCommand: "aikido-pnpm" },
{ tool: "pnpx", aikidoCommand: "aikido-pnpx" }, { tool: "pnpx", aikidoCommand: "aikido-pnpx" },
// When adding a new tool here, also update the expected alias in the tests (setup.spec.js, teardown.spec.js) { tool: "bun", aikidoCommand: "aikido-bun" },
// and add the documentation for the new tool in the README.md { tool: "bunx", aikidoCommand: "aikido-bunx" },
// When adding a new tool here, also update the documentation for the new tool in the README.md
]; ];
/** /**

8
packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish
View file

@ -46,6 +46,14 @@ function pnpx
wrapSafeChainCommand "pnpx" "aikido-pnpx" $argv wrapSafeChainCommand "pnpx" "aikido-pnpx" $argv
end end
function bun
wrapSafeChainCommand "bun" "aikido-bun" $argv
end
function bunx
wrapSafeChainCommand "bunx" "aikido-bunx" $argv
end
function npm function npm
# If args is just -v or --version and nothing else, just run the `npm -v` command # If args is just -v or --version and nothing else, just run the `npm -v` command
# This is because nvm uses this to check the version of npm # This is because nvm uses this to check the version of npm

8
packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
View file

@ -42,6 +42,14 @@ function pnpx() {
wrapSafeChainCommand "pnpx" "aikido-pnpx" "$@" wrapSafeChainCommand "pnpx" "aikido-pnpx" "$@"
} }
function bun() {
wrapSafeChainCommand "bun" "aikido-bun" "$@"
}
function bunx() {
wrapSafeChainCommand "bunx" "aikido-bunx" "$@"
}
function npm() { function npm() {
if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
# If args is just -v or --version and nothing else, just run the npm version command # If args is just -v or --version and nothing else, just run the npm version command

8
packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1
View file

@ -68,6 +68,14 @@ function pnpx {
Invoke-WrappedCommand "pnpx" "aikido-pnpx" $args Invoke-WrappedCommand "pnpx" "aikido-pnpx" $args
} }
function bun {
Invoke-WrappedCommand "bun" "aikido-bun" $args
}
function bunx {
Invoke-WrappedCommand "bunx" "aikido-bunx" $args
}
function npm { function npm {
# If args is just -v or --version and nothing else, just run the npm version command # If args is just -v or --version and nothing else, just run the npm version command
# This is because nvm uses this to check the version of npm # This is because nvm uses this to check the version of npm

3
test/e2e/Dockerfile
View file

@ -46,6 +46,9 @@ RUN volta install npm@${NPM_VERSION}
RUN volta install yarn@${YARN_VERSION} RUN volta install yarn@${YARN_VERSION}
RUN volta install pnpm@${PNPM_VERSION} RUN volta install pnpm@${PNPM_VERSION}
# Install Bun
RUN curl -fsSL https://bun.sh/install | bash
# Copy and install Safe chain # Copy and install Safe chain
COPY --from=builder /app/*.tgz /pkgs/ COPY --from=builder /app/*.tgz /pkgs/
RUN npm install -g /pkgs/*.tgz RUN npm install -g /pkgs/*.tgz

79
test/e2e/bun.e2e.spec.js Normal file
View file

@ -0,0 +1,79 @@
import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";
describe("E2E: bun coverage", () => {
let container;
before(async () => {
DockerTestContainer.buildImage();
});
beforeEach(async () => {
// Run a new Docker container for each test
container = new DockerTestContainer();
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup");
});
afterEach(async () => {
// Stop and clean up the container after each test
if (container) {
await container.stop();
container = null;
}
});
it(`safe-chain succesfully installs safe packages`, async () => {
const shell = await container.openShell("bash");
const result = await shell.runCommand("bun i axios");
assert.ok(
result.output.includes("no malicious packages found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
const shell = await container.openShell("bash");
await shell.runCommand(
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
);
var result = await shell.runCommand("bun install");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it("safe-chain blocks bunx from downloading malicious packages", async () => {
const shell = await container.openShell("bash");
const result = await shell.runCommand("bunx safe-chain-test");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
});