milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Address e2e suite failures

Browse source
This commit is contained in:
James McMeeking 2026-05-12 10:33:26 +01:00
parent e891d1a992
commit 5f0ad7ecfd
No known key found for this signature in database
GPG key ID: C69A11061EE15228
4 changed files with 165 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

2
npm-shrinkwrap.json generated
View file

@ -2417,7 +2417,6 @@
"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"engines": { "engines": {
"node": ">=12" "node": ">=12"
}, },
@ -3139,6 +3138,7 @@
"aikido-python": "bin/aikido-python.js", "aikido-python": "bin/aikido-python.js",
"aikido-python3": "bin/aikido-python3.js", "aikido-python3": "bin/aikido-python3.js",
"aikido-rush": "bin/aikido-rush.js", "aikido-rush": "bin/aikido-rush.js",
"aikido-rushx": "bin/aikido-rushx.js",
"aikido-uv": "bin/aikido-uv.js", "aikido-uv": "bin/aikido-uv.js",
"aikido-uvx": "bin/aikido-uvx.js", "aikido-uvx": "bin/aikido-uvx.js",
"aikido-yarn": "bin/aikido-yarn.js", "aikido-yarn": "bin/aikido-yarn.js",

95
test/e2e/rush.e2e.spec.js
View file

@ -1,14 +1,22 @@
import { describe, it, before, beforeEach, afterEach } from "node:test"; import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js"; import { DockerTestContainer } from "./DockerTestContainer.js";
import {
buildRushConfig,
resolveRushVersions,
writeTextFile,
} from "./utils/rushtestutils.mjs";
import assert from "node:assert"; import assert from "node:assert";
// These tests cover safe-chain's Rush wrapper: pre-scanning `rush add` and
// blocking malicious packages downloaded during `rush update` via the MITM
// proxy. They use a single Rush-internal package manager (pnpm) — see
// `utils/rushtestutils.mjs` for why this suite isn't parameterised over the
// CI matrix's NPM_VERSION/PNPM_VERSION/YARN_VERSION values.
describe("E2E: rush coverage", () => { describe("E2E: rush coverage", () => {
let container; let container;
const packageManagerConfigs = [ /** @type {{ rushVersion: string, pnpmVersion: string } | undefined} */
{ name: "pnpm", versionField: "pnpmVersion", version: "latest" }, let resolvedVersions;
{ name: "yarn", versionField: "yarnVersion", version: "latest" },
{ name: "npm", versionField: "npmVersion", version: "latest" },
];
before(async () => { before(async () => {
DockerTestContainer.buildImage(); DockerTestContainer.buildImage();
@ -20,7 +28,12 @@ describe("E2E: rush coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup"); await installationShell.runCommand("safe-chain setup");
await setupRushWorkspace(installationShell);
if (!resolvedVersions) {
resolvedVersions = await resolveRushVersions(installationShell);
}
await setupRushWorkspace(installationShell, { resolvedVersions });
}); });
afterEach(async () => { afterEach(async () => {
@ -71,11 +84,10 @@ describe("E2E: rush coverage", () => {
); );
}); });
for (const packageManagerConfig of packageManagerConfigs) { it("safe-chain proxy blocks malicious package downloads during rush update", async () => {
it(`safe-chain proxy blocks malicious package downloads during rush update with ${packageManagerConfig.name}`, async () => {
const shell = await container.openShell("zsh"); const shell = await container.openShell("zsh");
await setupRushWorkspace(shell, { await setupRushWorkspace(shell, {
packageManagerConfig, resolvedVersions,
packageJson: `{ packageJson: `{
"name": "test-app", "name": "test-app",
"version": "1.0.0", "version": "1.0.0",
@ -85,7 +97,9 @@ describe("E2E: rush coverage", () => {
}`, }`,
}); });
const result = await shell.runCommand("cd /testapp/apps/test-app && rush update"); const result = await shell.runCommand(
"cd /testapp/apps/test-app && rush update"
);
assert.ok( assert.ok(
result.output.includes("blocked 1 malicious package downloads"), result.output.includes("blocked 1 malicious package downloads"),
@ -100,51 +114,28 @@ describe("E2E: rush coverage", () => {
`Output did not include expected text. Output was:\n${result.output}` `Output did not include expected text. Output was:\n${result.output}`
); );
}); });
}
}); });
async function setupRushWorkspace(shell, options = {}) { async function setupRushWorkspace(shell, { resolvedVersions, packageJson }) {
const packageManagerConfig = options.packageManagerConfig ?? { const rushConfig = buildRushConfig({
versionField: "pnpmVersion", rushVersion: resolvedVersions.rushVersion,
version: "11.0.6", pnpmVersion: resolvedVersions.pnpmVersion,
}; });
const packageJson = options.packageJson ?? `{
"name": "test-app",
"version": "1.0.0"
}`;
const rushConfig = {
$schema: "https://developer.microsoft.com/json-schemas/rush/v5/rush.schema.json",
rushVersion: "5.175.1",
[packageManagerConfig.versionField]: packageManagerConfig.version,
nodeSupportedVersionRange: ">=18.0.0",
projectFolderMinDepth: 1,
projectFolderMaxDepth: 2,
gitPolicy: {},
repository: {
url: "https://example.com/testapp.git",
defaultBranch: "main",
},
eventHooks: {
preRushInstall: [],
postRushInstall: [],
preRushBuild: [],
postRushBuild: [],
},
projects: [
{
packageName: "test-app",
projectFolder: "apps/test-app",
},
],
};
await shell.runCommand("rm -rf /testapp/common /testapp/apps/test-app"); await shell.runCommand("rm -rf /testapp/common /testapp/apps/test-app");
await shell.runCommand("mkdir -p /testapp/apps/test-app"); await shell.runCommand("mkdir -p /testapp/apps/test-app");
await writeTextFile(shell, "/testapp/rush.json", JSON.stringify(rushConfig, null, 2)); await writeTextFile(
await writeTextFile(shell, "/testapp/apps/test-app/package.json", packageJson); shell,
} "/testapp/rush.json",
JSON.stringify(rushConfig, null, 2)
async function writeTextFile(shell, filePath, content) { );
const encoded = Buffer.from(content).toString("base64"); await writeTextFile(
await shell.runCommand(`printf '%s' '${encoded}' | base64 -d > ${filePath}`); shell,
"/testapp/apps/test-app/package.json",
packageJson ??
`{
"name": "test-app",
"version": "1.0.0"
}`
);
} }

67
test/e2e/rushx.e2e.spec.js
View file

@ -1,9 +1,16 @@
import { describe, it, before, beforeEach, afterEach } from "node:test"; import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js"; import { DockerTestContainer } from "./DockerTestContainer.js";
import {
buildRushConfig,
resolveRushVersions,
writeTextFile,
} from "./utils/rushtestutils.mjs";
import assert from "node:assert"; import assert from "node:assert";
describe("E2E: rushx coverage", () => { describe("E2E: rushx coverage", () => {
let container; let container;
/** @type {{ rushVersion: string, pnpmVersion: string } | undefined} */
let resolvedVersions;
before(async () => { before(async () => {
DockerTestContainer.buildImage(); DockerTestContainer.buildImage();
@ -15,7 +22,12 @@ describe("E2E: rushx coverage", () => {
const installationShell = await container.openShell("zsh"); const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup"); await installationShell.runCommand("safe-chain setup");
await setupRushWorkspace(installationShell);
if (!resolvedVersions) {
resolvedVersions = await resolveRushVersions(installationShell);
}
await setupRushWorkspace(installationShell, { resolvedVersions });
}); });
afterEach(async () => { afterEach(async () => {
@ -58,43 +70,30 @@ describe("E2E: rushx coverage", () => {
}); });
}); });
async function setupRushWorkspace(shell) { async function setupRushWorkspace(shell, { resolvedVersions }) {
await shell.runCommand("mkdir -p /testapp/common/config/rush /testapp/apps/test-app"); const rushConfig = buildRushConfig({
await shell.runCommand(`cat > /testapp/common/config/rush/rush.json <<'EOF' rushVersion: resolvedVersions.rushVersion,
{ pnpmVersion: resolvedVersions.pnpmVersion,
"$schema": "https://developer.microsoft.com/json-schemas/rush/v5/rush.schema.json", });
"rushVersion": "5.175.1",
"pnpmVersion": "11.0.6", await shell.runCommand(
"nodeSupportedVersionRange": ">=18.0.0", "mkdir -p /testapp/common/config/rush /testapp/apps/test-app"
"projectFolderMinDepth": 1, );
"projectFolderMaxDepth": 2, await writeTextFile(
"gitPolicy": {}, shell,
"repository": { "/testapp/rush.json",
"url": "https://example.com/testapp.git", JSON.stringify(rushConfig, null, 2)
"defaultBranch": "main" );
}, await writeTextFile(
"eventHooks": { shell,
"preRushInstall": [], "/testapp/apps/test-app/package.json",
"postRushInstall": [], `{
"preRushBuild": [],
"postRushBuild": []
},
"projects": [
{
"packageName": "test-app",
"projectFolder": "apps/test-app"
}
]
}
EOF`);
await shell.runCommand(`cat > /testapp/apps/test-app/package.json <<'EOF'
{
"name": "test-app", "name": "test-app",
"version": "1.0.0", "version": "1.0.0",
"scripts": { "scripts": {
"install-safe": "npm install axios@1.13.0", "install-safe": "npm install axios@1.13.0",
"install-malicious": "npm install safe-chain-test@0.0.1-security" "install-malicious": "npm install safe-chain-test@0.0.1-security"
} }
} }`
EOF`); );
} }

70
test/e2e/utils/rushtestutils.mjs Normal file
View file

@ -0,0 +1,70 @@
// Helpers for the Rush E2E suites.
//
// What these suites actually test: that safe-chain's shim intercepts `rush`
// and `rushx` invocations correctly. The contents of `rush.json` are just
// fixture noise needed to make Rush run at all — Rush's schema requires
// exact semver for `rushVersion`/`pnpmVersion` and refuses dist-tags like
// "latest", so we resolve those once per suite.
//
// * `rushVersion` is read from the `rush` binary baked into the image
// (Dockerfile installs `@microsoft/rush@${RUSH_VERSION:-latest}`).
// * `pnpmVersion` is pinned to a known-good pnpm 9 release. Rush downloads
// this internally into `~/.rush/...`; it's unrelated to the system
// pnpm exercised by the pnpm e2e suite.
const PINNED_PNPM_VERSION = "9.15.9";
/** Resolves the versions to put into `rush.json`. */
export async function resolveRushVersions(shell) {
return {
rushVersion: await getInstalledRushVersion(shell),
pnpmVersion: PINNED_PNPM_VERSION,
};
}
/** Builds the standard `rush.json` body for the e2e fixtures. */
export function buildRushConfig({ rushVersion, pnpmVersion, projects }) {
return {
$schema:
"https://developer.microsoft.com/json-schemas/rush/v5/rush.schema.json",
rushVersion,
pnpmVersion,
nodeSupportedVersionRange: ">=18.0.0",
projectFolderMinDepth: 1,
projectFolderMaxDepth: 2,
gitPolicy: {},
repository: {
url: "https://example.com/testapp.git",
defaultBranch: "main",
},
eventHooks: {
preRushInstall: [],
postRushInstall: [],
preRushBuild: [],
postRushBuild: [],
},
projects: projects ?? [
{ packageName: "test-app", projectFolder: "apps/test-app" },
],
};
}
/**
* Writes a UTF-8 text file inside the container, base64-encoding the payload
* to avoid shell escaping issues for arbitrary content.
*/
export async function writeTextFile(shell, filePath, content) {
const encoded = Buffer.from(content).toString("base64");
await shell.runCommand(`printf '%s' '${encoded}' | base64 -d > ${filePath}`);
}
async function getInstalledRushVersion(shell) {
const { output } = await shell.runCommand("rush --version");
const match = output.match(/\b(\d+\.\d+\.\d+)\b/);
if (!match) {
throw new Error(
`Could not determine installed Rush version. Output was:\n${output}`
);
}
return match[1];
}