milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add end-to-end tests for proxy blocking malware packages

Browse source
This commit is contained in:
Sander Declerck 2025-09-30 15:03:49 +02:00
parent a3f91b8b55
commit 6c08c6adce
No known key found for this signature in database
4 changed files with 115 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

46
test/e2e/npm.e2e.spec.js
View file

@ -60,6 +60,52 @@ describe("E2E: npm coverage", () => {
);
});
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
const shell = await container.openShell("zsh");
const npmVersion = (await shell.runCommand("npm --version")).output.trim();
const majorVersion = parseInt(npmVersion.split(".")[0]);
const minorVersion = parseInt(npmVersion.split(".")[1]);
const isBelow10_4 =
majorVersion < 10 || (majorVersion === 10 && minorVersion < 4);
await shell.runCommand(
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
);
var result = await shell.runCommand("npm install");
if (isBelow10_4) {
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes(
"Exiting without installing malicious packages."
),
`Output did not include expected text. Output was:\n${result.output}`
);
} else {
assert.ok(
result.output.includes("Malicious changes detected:"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes(
"Exiting without installing malicious packages."
),
`Output did not include expected text. Output was:\n${result.output}`
);
}
});
it("safe-chain blocks npx from executing malicious packages", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("npx safe-chain-test");

22
test/e2e/pnpm.e2e.spec.js
View file

@ -60,6 +60,28 @@ describe("E2E: pnpm coverage", () => {
);
});
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand(
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
);
var result = await shell.runCommand("pnpm install");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it("safe-chain blocks pnpx from executing malicious packages", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pnpx safe-chain-test");

46
test/e2e/yarn.e2e.spec.js
View file

@ -60,6 +60,52 @@ describe("E2E: yarn coverage", () => {
);
});
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand(
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
);
var result = await shell.runCommand("yarn");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`safe-chain blocks installation of malicious packages`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn add safe-chain-test");
assert.ok(
result.output.includes("Malicious changes detected:"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
const listResult = await shell.runCommand("yarn list");
assert.ok(
!listResult.output.includes("safe-chain-test"),
`Malicious package was installed despite safe-chain protection. Output of 'yarn list' was:\n${listResult.output}`
);
});
it("safe-chain blocks yarn dlx from executing malicious packages", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("yarn dlx safe-chain-test");