milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove dry-run scanner for npm, relying on the proxy to block maliscious package downloads instead

Browse source
This commit is contained in:
Sander Declerck 2025-10-10 16:18:43 +02:00
parent dc4352bffb
commit 8aebb1b96b
No known key found for this signature in database
12 changed files with 29 additions and 496 deletions
Download patch file Download diff file Expand all files Collapse all files

48
test/e2e/npm.e2e.spec.js
View file

@ -62,48 +62,24 @@ describe("E2E: npm coverage", () => {
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
const shell = await container.openShell("zsh");
const npmVersion = (await shell.runCommand("npm --version")).output.trim();
const majorVersion = parseInt(npmVersion.split(".")[0]);
const minorVersion = parseInt(npmVersion.split(".")[1]);
const isBelow10_4 =
majorVersion < 10 || (majorVersion === 10 && minorVersion < 4);
await shell.runCommand(
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
);
var result = await shell.runCommand("npm install");
if (isBelow10_4) {
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes(
"Exiting without installing malicious packages."
),
`Output did not include expected text. Output was:\n${result.output}`
);
} else {
assert.ok(
result.output.includes("Malicious changes detected:"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes(
"Exiting without installing malicious packages."
),
`Output did not include expected text. Output was:\n${result.output}`
);
}
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it("safe-chain blocks npx from executing malicious packages", async () => {