mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
Merge branch 'main' into feature/cleanup-shims
This commit is contained in:
Reinier Criel
commit
7e88490bd1
5 changed files with 46 additions and 17 deletions
|
|
@ -23,6 +23,7 @@ export async function main(args) {
|
|||
process.on("uncaughtException", (error) => {
|
||||
ui.writeError(`Safe-chain: Uncaught exception: ${error.message}`);
|
||||
ui.writeVerbose(`Stack trace: ${error.stack}`);
|
||||
ui.writeBufferedLogsAndStopBuffering();
|
||||
process.exit(1);
|
||||
});
|
||||
|
||||
|
|
@ -31,6 +32,7 @@ export async function main(args) {
|
|||
if (reason instanceof Error) {
|
||||
ui.writeVerbose(`Stack trace: ${reason.stack}`);
|
||||
}
|
||||
ui.writeBufferedLogsAndStopBuffering();
|
||||
process.exit(1);
|
||||
});
|
||||
|
||||
|
|
@ -89,6 +91,7 @@ export async function main(args) {
|
|||
return packageManagerResult.status;
|
||||
} catch (/** @type any */ error) {
|
||||
ui.writeError("Failed to check for malicious packages:", error.message);
|
||||
ui.writeBufferedLogsAndStopBuffering();
|
||||
|
||||
// Returning the exit code back to the caller allows the promise
|
||||
// to be awaited in the bin files and return the correct exit code
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import fsSync from "node:fs";
|
|||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
import ini from "ini";
|
||||
import { spawn } from "child_process";
|
||||
|
||||
/**
|
||||
* Checks if this pip invocation should bypass safe-chain and spawn directly.
|
||||
|
|
@ -16,7 +17,7 @@ import ini from "ini";
|
|||
* @param {string[]} args - The arguments
|
||||
* @returns {boolean}
|
||||
*/
|
||||
function shouldBypassSafeChain(command, args) {
|
||||
export function shouldBypassSafeChain(command, args) {
|
||||
if (command === PYTHON_COMMAND || command === PYTHON3_COMMAND) {
|
||||
// Check if args start with -m pip
|
||||
if (args.length >= 2 && args[0] === "-m" && (args[1] === PIP_COMMAND || args[1] === PIP3_COMMAND)) {
|
||||
|
|
@ -77,14 +78,16 @@ export async function runPip(command, args) {
|
|||
if (shouldBypassSafeChain(command, args)) {
|
||||
ui.writeVerbose(`Safe-chain: Bypassing safe-chain for non-pip invocation: ${command} ${args.join(" ")}`);
|
||||
// Spawn the ORIGINAL command with ORIGINAL args
|
||||
const { spawn } = await import("child_process");
|
||||
return new Promise((_resolve) => {
|
||||
const proc = spawn(command, args, { stdio: "inherit" });
|
||||
proc.on("exit", (/** @type {number | null} */ code) => {
|
||||
ui.writeVerbose(`${command} ${args.join(" ")} exited with status ${code}`);
|
||||
ui.writeBufferedLogsAndStopBuffering();
|
||||
process.exit(code ?? 0);
|
||||
});
|
||||
proc.on("error", (/** @type {Error} */ err) => {
|
||||
ui.writeError(`Error executing command: ${err.message}`);
|
||||
ui.writeBufferedLogsAndStopBuffering();
|
||||
process.exit(1);
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import ini from "ini";
|
|||
|
||||
describe("runPipCommand environment variable handling", () => {
|
||||
let runPip;
|
||||
let shouldBypassSafeChain;
|
||||
let capturedArgs = null;
|
||||
let customEnv = null;
|
||||
let capturedConfigContent = null; // Capture config file content before cleanup
|
||||
|
|
@ -56,6 +57,7 @@ describe("runPipCommand environment variable handling", () => {
|
|||
|
||||
const mod = await import("./runPipCommand.js");
|
||||
runPip = mod.runPip;
|
||||
shouldBypassSafeChain = mod.shouldBypassSafeChain;
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
|
|
@ -397,4 +399,21 @@ describe("runPipCommand environment variable handling", () => {
|
|||
assert.ok(output.includes("proxy found in PIP_CONFIG_FILE"), "Should warn about proxy overwrite in output");
|
||||
customEnv = null;
|
||||
});
|
||||
|
||||
it("should bypass safe-chain for python correctly", async () => {
|
||||
assert.strictEqual(shouldBypassSafeChain("python", []), true);
|
||||
assert.strictEqual(shouldBypassSafeChain("python3", []), true);
|
||||
|
||||
assert.strictEqual(shouldBypassSafeChain("python", ["--version"]), true);
|
||||
assert.strictEqual(shouldBypassSafeChain("python3", ["--version"]), true);
|
||||
|
||||
assert.strictEqual(shouldBypassSafeChain("python", ["-m", "http.server"]), true);
|
||||
assert.strictEqual(shouldBypassSafeChain("python3", ["-m", "http.server"]), true);
|
||||
|
||||
assert.strictEqual(shouldBypassSafeChain("python", ["-m", "pip"]), false);
|
||||
assert.strictEqual(shouldBypassSafeChain("python3", ["-m", "pip"]), false);
|
||||
assert.strictEqual(shouldBypassSafeChain("python", ["-m", "pip3"]), false);
|
||||
assert.strictEqual(shouldBypassSafeChain("python3", ["-m", "pip3"]), false);
|
||||
});
|
||||
|
||||
});
|
||||
|
|
|
|||
|
|
@ -33,12 +33,16 @@ export class DockerTestContainer {
|
|||
].join(" ");
|
||||
|
||||
execSync(
|
||||
`docker build -t ${imageName} -f ${dockerFile} ${contextPath} ${buildArgs}`,
|
||||
`docker build --progress=plain -t ${imageName} -f ${dockerFile} ${contextPath} ${buildArgs}`,
|
||||
{
|
||||
stdio: "ignore",
|
||||
stdio: "pipe",
|
||||
maxBuffer: 10 * 1024 * 1024, // Default is 1MB, increase to 10MB to account for large build logs
|
||||
}
|
||||
);
|
||||
} catch (error) {
|
||||
// Only print the build logs if the build fails
|
||||
if (error.stdout) console.log(error.stdout.toString());
|
||||
if (error.stderr) console.error(error.stderr.toString());
|
||||
throw new Error(`Failed to build Docker image: ${error.message}`);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ RUN apt-get install -y fish && \
|
|||
touch /root/.config/fish/config.fish
|
||||
|
||||
# Install Volta and Node.js
|
||||
RUN curl https://get.volta.sh | bash
|
||||
RUN curl -fsSL https://get.volta.sh | bash
|
||||
RUN volta install node@${NODE_VERSION}
|
||||
RUN volta install npm@${NPM_VERSION}
|
||||
RUN volta install yarn@${YARN_VERSION}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue