Wrap bun with safe-chain to block downloads of packages with malware

2026-05-26 12:10:49 +00:00 · 2025-10-08 15:12:06 +02:00 · 2025-10-08 15:12:06 +02:00 · 43dcba8802
commit 43dcba8802
parent 16c76de0f3
11 changed files with 184 additions and 5 deletions
--- a/test/e2e/Dockerfile
+++ b/test/e2e/Dockerfile
@ -46,6 +46,9 @@ RUN volta install npm@${NPM_VERSION}
 RUN volta install yarn@${YARN_VERSION}
 RUN volta install pnpm@${PNPM_VERSION}

+# Install Bun
+RUN curl -fsSL https://bun.sh/install | bash
+
 # Copy and install Safe chain
 COPY --from=builder /app/*.tgz /pkgs/
 RUN npm install -g /pkgs/*.tgz
--- a/test/e2e/bun.e2e.spec.js
+++ b/test/e2e/bun.e2e.spec.js
@ -0,0 +1,79 @@
+import { describe, it, before, beforeEach, afterEach } from "node:test";
+import { DockerTestContainer } from "./DockerTestContainer.js";
+import assert from "node:assert";
+
+describe("E2E: bun coverage", () => {
+  let container;
+
+  before(async () => {
+    DockerTestContainer.buildImage();
+  });
+
+  beforeEach(async () => {
+    // Run a new Docker container for each test
+    container = new DockerTestContainer();
+    await container.start();
+
+    const installationShell = await container.openShell("zsh");
+    await installationShell.runCommand("safe-chain setup");
+  });
+
+  afterEach(async () => {
+    // Stop and clean up the container after each test
+    if (container) {
+      await container.stop();
+      container = null;
+    }
+  });
+
+  it(`safe-chain succesfully installs safe packages`, async () => {
+    const shell = await container.openShell("bash");
+    const result = await shell.runCommand("bun i axios");
+
+    assert.ok(
+      result.output.includes("no malicious packages found."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+
+  it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
+    const shell = await container.openShell("bash");
+    await shell.runCommand(
+      'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
+    );
+
+    var result = await shell.runCommand("bun install");
+
+    assert.ok(
+      result.output.includes("blocked 1 malicious package downloads"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("- safe-chain-test"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+
+  it("safe-chain blocks bunx from downloading malicious packages", async () => {
+    const shell = await container.openShell("bash");
+
+    const result = await shell.runCommand("bunx safe-chain-test");
+
+    assert.ok(
+      result.output.includes("blocked 1 malicious package downloads"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("- safe-chain-test"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+});