milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'main' into feature/pypi-remove-args-parsing

Browse source
This commit is contained in:
Reinier Criel 2025-11-05 09:01:57 -08:00
commit 3cfe00e535
11 changed files with 311 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

10
packages/safe-chain/src/main.js
View file

@ -6,6 +6,7 @@ import { getPackageManager } from "./packagemanager/currentPackageManager.js";
import { initializeCliArguments } from "./config/cliArguments.js"; import { initializeCliArguments } from "./config/cliArguments.js";
import { createSafeChainProxy } from "./registryProxy/registryProxy.js"; import { createSafeChainProxy } from "./registryProxy/registryProxy.js";
import chalk from "chalk"; import chalk from "chalk";
import { getAuditStats } from "./scanning/audit/index.js";
/** /**
* @param {string[]} args * @param {string[]} args
@ -61,12 +62,15 @@ export async function main(args) {
return 1; return 1;
} }
const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) {
ui.emptyLine(); ui.emptyLine();
ui.writeInformation( ui.writeInformation(
`${chalk.green( `${chalk.green("✔")} Safe-chain: Scanned ${
"✔" auditStats.totalPackages
)} Safe-chain: Command completed, no malicious packages found.` } packages, no malware found.`
); );
}
// Returning the exit code back to the caller allows the promise // Returning the exit code back to the caller allows the promise
// to be awaited in the bin files and return the correct exit code // to be awaited in the bin files and return the correct exit code

27
packages/safe-chain/src/scanning/audit/index.js
View file

@ -18,6 +18,29 @@ import {
* @property {boolean} isAllowed * @property {boolean} isAllowed
*/ */
/**
* @typedef {Object} AuditStats
* @property {number} totalPackages
* @property {number} safePackages
* @property {number} malwarePackages
*/
/**
* @type AuditStats
*/
const auditStats = {
totalPackages: 0,
safePackages: 0,
malwarePackages: 0,
};
/**
* @returns {AuditStats}
*/
export function getAuditStats() {
return auditStats;
}
/** /**
* @param {PackageChange[]} changes * @param {PackageChange[]} changes
* *
@ -41,16 +64,20 @@ export async function auditChanges(changes) {
); );
if (malwarePackage) { if (malwarePackage) {
auditStats.malwarePackages += 1;
ui.writeVerbose( ui.writeVerbose(
`Safe-chain: Package ${change.name}@${change.version} is marked as malware: ${malwarePackage.status}` `Safe-chain: Package ${change.name}@${change.version} is marked as malware: ${malwarePackage.status}`
); );
disallowedChanges.push({ ...change, reason: malwarePackage.status }); disallowedChanges.push({ ...change, reason: malwarePackage.status });
} else { } else {
auditStats.safePackages += 1;
ui.writeVerbose( ui.writeVerbose(
`Safe-chain: Package ${change.name}@${change.version} is clean` `Safe-chain: Package ${change.name}@${change.version} is clean`
); );
allowedChanges.push(change); allowedChanges.push(change);
} }
auditStats.totalPackages += 1;
} }
const auditResults = { const auditResults = {

188
packages/safe-chain/src/scanning/audit/index.spec.js Normal file
View file

@ -0,0 +1,188 @@
import assert from "node:assert/strict";
import { describe, it, mock, beforeEach } from "node:test";
describe("audit/index", async () => {
const mockWriteVerbose = mock.fn();
// Mock UI module
mock.module("../../environment/userInteraction.js", {
namedExports: {
ui: {
writeVerbose: mockWriteVerbose,
},
},
});
// Mock malware database
const mockIsMalware = mock.fn();
mock.module("../malwareDatabase.js", {
namedExports: {
MALWARE_STATUS_MALWARE: "malware",
openMalwareDatabase: async () => ({
isMalware: mockIsMalware,
}),
},
});
const { auditChanges, getAuditStats } = await import("./index.js");
beforeEach(() => {
mockWriteVerbose.mock.resetCalls();
mockIsMalware.mock.resetCalls();
});
describe("getAuditStats", () => {
it("should return audit stats object with correct structure", () => {
const stats = getAuditStats();
assert.ok(stats.hasOwnProperty("totalPackages"));
assert.ok(stats.hasOwnProperty("safePackages"));
assert.ok(stats.hasOwnProperty("malwarePackages"));
assert.equal(typeof stats.totalPackages, "number");
assert.equal(typeof stats.safePackages, "number");
assert.equal(typeof stats.malwarePackages, "number");
});
it("should return the same object reference on multiple calls", () => {
const stats1 = getAuditStats();
const stats2 = getAuditStats();
assert.equal(stats1, stats2);
});
});
describe("auditChanges", () => {
it("should return empty allowed and disallowed arrays when no changes provided", async () => {
const result = await auditChanges([]);
assert.deepEqual(result.allowedChanges, []);
assert.deepEqual(result.disallowedChanges, []);
assert.equal(result.isAllowed, true);
});
it("should mark package as allowed when not malware", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const changes = [{ name: "lodash", version: "4.17.21", type: "add" }];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 1);
assert.equal(result.disallowedChanges.length, 0);
assert.equal(result.isAllowed, true);
assert.deepEqual(result.allowedChanges[0], changes[0]);
});
it("should mark package as disallowed when malware detected", async () => {
mockIsMalware.mock.mockImplementation(() => true);
const changes = [
{ name: "malicious-pkg", version: "1.0.0", type: "add" },
];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 0);
assert.equal(result.disallowedChanges.length, 1);
assert.equal(result.isAllowed, false);
assert.equal(result.disallowedChanges[0].name, "malicious-pkg");
assert.equal(result.disallowedChanges[0].version, "1.0.0");
assert.equal(result.disallowedChanges[0].reason, "malware");
});
it("should handle mixed safe and malware packages", async () => {
mockIsMalware.mock.mockImplementation((name) => {
return name === "malicious-pkg";
});
const changes = [
{ name: "lodash", version: "4.17.21", type: "add" },
{ name: "malicious-pkg", version: "1.0.0", type: "add" },
{ name: "express", version: "4.18.0", type: "add" },
];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 2);
assert.equal(result.disallowedChanges.length, 1);
assert.equal(result.isAllowed, false);
assert.equal(result.disallowedChanges[0].name, "malicious-pkg");
});
it("should only check malware for add and change types", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const changes = [
{ name: "pkg1", version: "1.0.0", type: "add" },
{ name: "pkg2", version: "2.0.0", type: "change" },
{ name: "pkg3", version: "3.0.0", type: "remove" },
];
await auditChanges(changes);
// Should only check pkg1 and pkg2, not pkg3 (remove type)
assert.equal(mockIsMalware.mock.calls.length, 2);
});
it("should increment totalPackages counter for each package", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.totalPackages;
const changes = [
{ name: "pkg1", version: "1.0.0", type: "add" },
{ name: "pkg2", version: "2.0.0", type: "add" },
{ name: "pkg3", version: "3.0.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.totalPackages, initialCount + 3);
});
it("should increment safePackages counter for safe packages", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.safePackages;
const changes = [
{ name: "lodash", version: "4.17.21", type: "add" },
{ name: "express", version: "4.18.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.safePackages, initialCount + 2);
});
it("should increment malwarePackages counter for malware packages", async () => {
mockIsMalware.mock.mockImplementation(() => true);
const statsBefore = getAuditStats();
const initialCount = statsBefore.malwarePackages;
const changes = [
{ name: "malicious-1", version: "1.0.0", type: "add" },
{ name: "malicious-2", version: "2.0.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.malwarePackages, initialCount + 2);
});
it("should accumulate stats across multiple auditChanges calls", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.totalPackages;
// First call
await auditChanges([{ name: "pkg1", version: "1.0.0", type: "add" }]);
// Second call
await auditChanges([{ name: "pkg2", version: "2.0.0", type: "add" }]);
const statsAfter = getAuditStats();
assert.equal(statsAfter.totalPackages, initialCount + 2);
});
});
});

2
test/e2e/bun.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: bun coverage", () => {
const result = await shell.runCommand("bun i axios"); const result = await shell.runCommand("bun i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/npm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: npm coverage using PATH", () => {
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand("npm i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/npm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: npm coverage", () => {
const result = await shell.runCommand("npm i axios"); const result = await shell.runCommand("npm i axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

118
test/e2e/pip.e2e.spec.js
View file

@ -28,10 +28,12 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => { it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install --break-system-packages requests"); const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -41,7 +43,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 download requests"); const result = await shell.runCommand("pip3 download requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -51,57 +53,63 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 wheel requests"); const result = await shell.runCommand("pip3 wheel requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`pip3 install --dry-run is respected by scanner`, async () => { it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install --dry-run --break-system-packages requests"); const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`pip3 install with extras such as requests[socks]`, async () => { it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install --break-system-packages "requests[socks]==2.32.3"'); const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"'
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`pip3 install with range version specifier`, async () => { it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'); const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip install routes through safe-chain`, async () => { it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests'); const result = await shell.runCommand("python3 -m pip install requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip download routes through safe-chain`, async () => { it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip download requests'); const result = await shell.runCommand("python3 -m pip download requests");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
@ -111,7 +119,9 @@ describe("E2E: pip coverage", () => {
// Clear pip cache to ensure network download through proxy // Clear pip cache to ensure network download through proxy
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand("pip3 install --break-system-packages safe-chain-pi-test"); const result = await shell.runCommand(
"pip3 install --break-system-packages safe-chain-pi-test"
);
assert.ok( assert.ok(
result.output.includes("blocked 1 malicious package downloads:"), result.output.includes("blocked 1 malicious package downloads:"),
@ -135,60 +145,72 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => { it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip install --break-system-packages requests'); const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip3 install --break-system-packages requests'); const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests'); const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => { it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip3 install --break-system-packages requests'); const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify it completed successfully (would fail if routing was incorrect) // Verify it completed successfully (would fail if routing was incorrect)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}` `Installation did not succeed. Output was:\n${result.output}`
); );
}); });
@ -197,16 +219,19 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Install a simple package from GitHub - this should use TCP tunnel, not MITM // Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing // Using a popular, small package for testing
const result = await shell.runCommand('pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3'); const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke) // Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}` `Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
); );
@ -223,10 +248,12 @@ describe("E2E: pip coverage", () => {
// Clear cache to force network download through proxy // Clear cache to force network download through proxy
await shell.runCommand("pip3 cache purge"); await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand('pip3 install --break-system-packages certifi'); const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
@ -238,7 +265,9 @@ describe("E2E: pip coverage", () => {
// Should NOT contain SSL or certificate errors // Should NOT contain SSL or certificate errors
assert.ok( assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i), !result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors. Output was:\n${result.output}` `Should not have SSL/certificate errors. Output was:\n${result.output}`
); );
}); });
@ -247,17 +276,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
// Test installing from a direct HTTPS URL (not a registry) // Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle // This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand('pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl'); const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Since this is from pythonhosted.org, it should be MITM'd by safe-chain // Since this is from pythonhosted.org, it should be MITM'd by safe-chain
// But the certificate validation should still work // But the certificate validation should still work
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from direct HTTPS URL failed. Output was:\n${result.output}` `Installation from direct HTTPS URL failed. Output was:\n${result.output}`
); );
}); });
@ -267,24 +299,28 @@ describe("E2E: pip coverage", () => {
// Use Test PyPI which is NOT in knownPipRegistries // Use Test PyPI which is NOT in knownPipRegistries
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots) // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi'); const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
);
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
// Should succeed if CA bundle properly handles tunneled hosts // Should succeed if CA bundle properly handles tunneled hosts
assert.ok( assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}` `Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}`
); );
// Should NOT contain certificate verification errors // Should NOT contain certificate verification errors
assert.ok( assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i), !result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}` `Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}`
); );
}); });
}); });

2
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand("pnpm add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/pnpm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios"); const result = await shell.runCommand("pnpm add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/yarn-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand("yarn add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });

2
test/e2e/yarn.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios"); const result = await shell.runCommand("yarn add axios");
assert.ok( assert.ok(
result.output.includes("no malicious packages found."), result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });