milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rename verifiedPackages to totalPackages, fix e2e tests

Browse source
This commit is contained in:
Sander Declerck 2025-11-05 12:19:47 +01:00
parent e4c40330f7
commit 378b0ac7c9
No known key found for this signature in database
11 changed files with 89 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/safe-chain/src/main.js
View file

@ -63,11 +63,11 @@ export async function main(args) {
} }
const auditStats = getAuditStats(); const auditStats = getAuditStats();
if (auditStats.verifiedPackages > 0) { if (auditStats.totalPackages > 0) {
ui.emptyLine(); ui.emptyLine();
ui.writeInformation( ui.writeInformation(
`${chalk.green("✔")} Safe-chain: Scanned ${ `${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.verifiedPackages auditStats.totalPackages
} packages, no malware found.` } packages, no malware found.`
); );
} }

6
packages/safe-chain/src/scanning/audit/index.js
View file

@ -20,7 +20,7 @@ import {
/** /**
* @typedef {Object} AuditStats * @typedef {Object} AuditStats
* @property {number} verifiedPackages * @property {number} totalPackages
* @property {number} safePackages * @property {number} safePackages
* @property {number} malwarePackages * @property {number} malwarePackages
*/ */
@ -29,7 +29,7 @@ import {
* @type AuditStats * @type AuditStats
*/ */
const auditStats = { const auditStats = {
verifiedPackages: 0, totalPackages: 0,
safePackages: 0, safePackages: 0,
malwarePackages: 0, malwarePackages: 0,
}; };
@ -77,7 +77,7 @@ export async function auditChanges(changes) {
allowedChanges.push(change); allowedChanges.push(change);
} }
auditStats.verifiedPackages += 1; auditStats.totalPackages += 1;
} }
const auditResults = { const auditResults = {

14
packages/safe-chain/src/scanning/audit/index.spec.js
View file

@ -35,10 +35,10 @@ describe("audit/index", async () => {
it("should return audit stats object with correct structure", () => { it("should return audit stats object with correct structure", () => {
const stats = getAuditStats(); const stats = getAuditStats();
assert.ok(stats.hasOwnProperty("verifiedPackages")); assert.ok(stats.hasOwnProperty("totalPackages"));
assert.ok(stats.hasOwnProperty("safePackages")); assert.ok(stats.hasOwnProperty("safePackages"));
assert.ok(stats.hasOwnProperty("malwarePackages")); assert.ok(stats.hasOwnProperty("malwarePackages"));
assert.equal(typeof stats.verifiedPackages, "number"); assert.equal(typeof stats.totalPackages, "number");
assert.equal(typeof stats.safePackages, "number"); assert.equal(typeof stats.safePackages, "number");
assert.equal(typeof stats.malwarePackages, "number"); assert.equal(typeof stats.malwarePackages, "number");
}); });
@ -120,11 +120,11 @@ describe("audit/index", async () => {
assert.equal(mockIsMalware.mock.calls.length, 2); assert.equal(mockIsMalware.mock.calls.length, 2);
}); });
it("should increment verifiedPackages counter for each package", async () => { it("should increment totalPackages counter for each package", async () => {
mockIsMalware.mock.mockImplementation(() => false); mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats(); const statsBefore = getAuditStats();
const initialCount = statsBefore.verifiedPackages; const initialCount = statsBefore.totalPackages;
const changes = [ const changes = [
{ name: "pkg1", version: "1.0.0", type: "add" }, { name: "pkg1", version: "1.0.0", type: "add" },
@ -134,7 +134,7 @@ describe("audit/index", async () => {
await auditChanges(changes); await auditChanges(changes);
const statsAfter = getAuditStats(); const statsAfter = getAuditStats();
assert.equal(statsAfter.verifiedPackages, initialCount + 3); assert.equal(statsAfter.totalPackages, initialCount + 3);
}); });
it("should increment safePackages counter for safe packages", async () => { it("should increment safePackages counter for safe packages", async () => {
@ -173,7 +173,7 @@ describe("audit/index", async () => {
mockIsMalware.mock.mockImplementation(() => false); mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats(); const statsBefore = getAuditStats();
const initialVerified = statsBefore.verifiedPackages; const initialCount = statsBefore.totalPackages;
// First call // First call
await auditChanges([{ name: "pkg1", version: "1.0.0", type: "add" }]); await auditChanges([{ name: "pkg1", version: "1.0.0", type: "add" }]);
@ -182,7 +182,7 @@ describe("audit/index", async () => {
await auditChanges([{ name: "pkg2", version: "2.0.0", type: "add" }]); await auditChanges([{ name: "pkg2", version: "2.0.0", type: "add" }]);
const statsAfter = getAuditStats(); const statsAfter = getAuditStats();
assert.equal(statsAfter.verifiedPackages, initialVerified + 2); assert.equal(statsAfter.totalPackages, initialCount + 2);
}); });
}); });
}); });

2
test/e2e/bun.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: bun coverage", () => {
const result = await shell.runCommand("bun i axios"); const result = await shell.runCommand("bun i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/npm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: npm coverage using PATH", () => {
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand("npm i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/npm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: npm coverage", () => {
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand("npm i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

110
test/e2e/pip.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 install requests"); const result = await shell.runCommand("pip3 install requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -41,7 +41,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 download requests"); const result = await shell.runCommand("pip3 download requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -51,7 +51,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 wheel requests"); const result = await shell.runCommand("pip3 wheel requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -61,17 +61,19 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 install --dry-run requests"); const result = await shell.runCommand("pip3 install --dry-run requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`pip3 install with extras such as requests[socks]`, async () => { it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install "requests[socks]==2.32.3"'); const result = await shell.runCommand(
'pip3 install "requests[socks]==2.32.3"'
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -81,27 +83,27 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand('pip3 install "Jinja2>=3.1,<3.2"'); const result = await shell.runCommand('pip3 install "Jinja2>=3.1,<3.2"');
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip install routes through safe-chain`, async () => { it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install requests'); const result = await shell.runCommand("python3 -m pip install requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip download routes through safe-chain`, async () => { it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip download requests'); const result = await shell.runCommand("python3 -m pip download requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -111,7 +113,9 @@ describe("E2E: pip coverage", () => {
// Clear pip cache to ensure network download through proxy // Clear pip cache to ensure network download through proxy
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand("pip3 install --break-system-packages safe-chain-pi-test"); const result = await shell.runCommand(
"pip3 install --break-system-packages safe-chain-pi-test"
);
assert.ok( assert.ok(
result.output.includes("blocked 1 malicious package downloads:"), result.output.includes("blocked 1 malicious package downloads:"),
@ -135,60 +139,72 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => { it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip install --break-system-packages requests'); const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip3 install --break-system-packages requests'); const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests'); const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip3 install --break-system-packages requests'); const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
@ -197,17 +213,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install a simple package from GitHub - this should use TCP tunnel, not MITM // Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing // Using a popular, small package for testing
const result = await shell.runCommand('pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3'); const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke) // Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}` result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
); );
// Verify package was actually installed // Verify package was actually installed
@ -223,10 +242,12 @@ describe("E2E: pip coverage", () => {
// Clear cache to force network download through proxy // Clear cache to force network download through proxy
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand('pip3 install --break-system-packages certifi'); const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
@ -238,7 +259,9 @@ describe("E2E: pip coverage", () => {
// Should NOT contain SSL or certificate errors // Should NOT contain SSL or certificate errors
assert.ok( assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i), !result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors. Output was:\n${result.output}` `Should not have SSL/certificate errors. Output was:\n${result.output}`
); );
}); });
@ -247,17 +270,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Test installing from a direct HTTPS URL (not a registry) // Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle // This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand('pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl'); const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Since this is from pythonhosted.org, it should be MITM'd by safe-chain // Since this is from pythonhosted.org, it should be MITM'd by safe-chain
// But the certificate validation should still work // But the certificate validation should still work
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from direct HTTPS URL failed. Output was:\n${result.output}` `Installation from direct HTTPS URL failed. Output was:\n${result.output}`
); );
}); });
@ -267,24 +293,28 @@ describe("E2E: pip coverage", () => {
// Use Test PyPI which is NOT in knownPipRegistries // Use Test PyPI which is NOT in knownPipRegistries
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots) // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi'); const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Should succeed if CA bundle properly handles tunneled hosts // Should succeed if CA bundle properly handles tunneled hosts
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}` `Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}`
); );
// Should NOT contain certificate verification errors // Should NOT contain certificate verification errors
assert.ok( assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i), !result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}` `Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}`
); );
}); });
}); });

2
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand("pnpm add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/pnpm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand("pnpm add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/yarn-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand("yarn add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/yarn.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand("yarn add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });