milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feature/pypi-ci

Browse source
This commit is contained in:
Reinier Criel 2025-11-05 10:35:59 -08:00
commit 35bd3dfb6f
20 changed files with 320 additions and 755 deletions
Download patch file Download diff file Expand all files Collapse all files

2
test/e2e/bun.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: bun coverage", () => {
const result = await shell.runCommand("bun i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/npm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: npm coverage using PATH", () => {
const result = await shell.runCommand("npm i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/npm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: npm coverage", () => {
const result = await shell.runCommand("npm i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

122
test/e2e/pip.e2e.spec.js
View file

@ -28,10 +28,12 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install requests");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -41,7 +43,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 download requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -51,57 +53,63 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 wheel requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install --dry-run requests");
const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install "requests[socks]==2.32.3"');
const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"'
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install "Jinja2>=3.1,<3.2"');
const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install requests');
const result = await shell.runCommand("python3 -m pip install --break-system-packages requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip download requests');
const result = await shell.runCommand("python3 -m pip download requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -111,7 +119,9 @@ describe("E2E: pip coverage", () => {
// Clear pip cache to ensure network download through proxy
await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand("pip3 install --break-system-packages safe-chain-pi-test");
const result = await shell.runCommand(
"pip3 install --break-system-packages safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
@ -135,60 +145,72 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip install --break-system-packages requests');
const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip3 install --break-system-packages requests');
const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests');
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip3 install --break-system-packages requests');
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
@ -197,17 +219,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing
const result = await shell.runCommand('pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3');
const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
);
// Verify package was actually installed
@ -223,10 +248,12 @@ describe("E2E: pip coverage", () => {
// Clear cache to force network download through proxy
await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand('pip3 install --break-system-packages certifi');
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
@ -238,7 +265,9 @@ describe("E2E: pip coverage", () => {
// Should NOT contain SSL or certificate errors
assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i),
!result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors. Output was:\n${result.output}`
);
});
@ -247,17 +276,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand('pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl');
const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Since this is from pythonhosted.org, it should be MITM'd by safe-chain
// But the certificate validation should still work
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from direct HTTPS URL failed. Output was:\n${result.output}`
);
});
@ -267,24 +299,28 @@ describe("E2E: pip coverage", () => {
// Use Test PyPI which is NOT in knownPipRegistries
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi');
const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Should succeed if CA bundle properly handles tunneled hosts
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}`
);
// Should NOT contain certificate verification errors
assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i),
!result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}`
);
});
});

2
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/pnpm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/yarn-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/yarn.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});