milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #138 from AikidoSec/only-write-stdout-when-safe-chain-audited

Browse source 
Only write to stdout when safe-chain audited packages
This commit is contained in:
bitterpanda 2025-11-05 17:51:57 +01:00 committed by GitHub
commit 96860fb93d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 311 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

16
packages/safe-chain/src/main.js
View file

@ -6,6 +6,7 @@ import { getPackageManager } from "./packagemanager/currentPackageManager.js";
import { initializeCliArguments } from "./config/cliArguments.js";
import { createSafeChainProxy } from "./registryProxy/registryProxy.js";
import chalk from "chalk";
import { getAuditStats } from "./scanning/audit/index.js";
/**
* @param {string[]} args
@ -61,12 +62,15 @@ export async function main(args) {
return 1;
}
ui.emptyLine();
ui.writeInformation(
`${chalk.green(
"✔"
)} Safe-chain: Command completed, no malicious packages found.`
);
const auditStats = getAuditStats();
if (auditStats.totalPackages > 0) {
ui.emptyLine();
ui.writeInformation(
`${chalk.green("✔")} Safe-chain: Scanned ${
auditStats.totalPackages
} packages, no malware found.`
);
}
// Returning the exit code back to the caller allows the promise
// to be awaited in the bin files and return the correct exit code

27
packages/safe-chain/src/scanning/audit/index.js
View file

@ -18,6 +18,29 @@ import {
* @property {boolean} isAllowed
*/
/**
* @typedef {Object} AuditStats
* @property {number} totalPackages
* @property {number} safePackages
* @property {number} malwarePackages
*/
/**
* @type AuditStats
*/
const auditStats = {
totalPackages: 0,
safePackages: 0,
malwarePackages: 0,
};
/**
* @returns {AuditStats}
*/
export function getAuditStats() {
return auditStats;
}
/**
* @param {PackageChange[]} changes
*
@ -41,16 +64,20 @@ export async function auditChanges(changes) {
);
if (malwarePackage) {
auditStats.malwarePackages += 1;
ui.writeVerbose(
`Safe-chain: Package ${change.name}@${change.version} is marked as malware: ${malwarePackage.status}`
);
disallowedChanges.push({ ...change, reason: malwarePackage.status });
} else {
auditStats.safePackages += 1;
ui.writeVerbose(
`Safe-chain: Package ${change.name}@${change.version} is clean`
);
allowedChanges.push(change);
}
auditStats.totalPackages += 1;
}
const auditResults = {

188
packages/safe-chain/src/scanning/audit/index.spec.js Normal file
View file

@ -0,0 +1,188 @@
import assert from "node:assert/strict";
import { describe, it, mock, beforeEach } from "node:test";
describe("audit/index", async () => {
const mockWriteVerbose = mock.fn();
// Mock UI module
mock.module("../../environment/userInteraction.js", {
namedExports: {
ui: {
writeVerbose: mockWriteVerbose,
},
},
});
// Mock malware database
const mockIsMalware = mock.fn();
mock.module("../malwareDatabase.js", {
namedExports: {
MALWARE_STATUS_MALWARE: "malware",
openMalwareDatabase: async () => ({
isMalware: mockIsMalware,
}),
},
});
const { auditChanges, getAuditStats } = await import("./index.js");
beforeEach(() => {
mockWriteVerbose.mock.resetCalls();
mockIsMalware.mock.resetCalls();
});
describe("getAuditStats", () => {
it("should return audit stats object with correct structure", () => {
const stats = getAuditStats();
assert.ok(stats.hasOwnProperty("totalPackages"));
assert.ok(stats.hasOwnProperty("safePackages"));
assert.ok(stats.hasOwnProperty("malwarePackages"));
assert.equal(typeof stats.totalPackages, "number");
assert.equal(typeof stats.safePackages, "number");
assert.equal(typeof stats.malwarePackages, "number");
});
it("should return the same object reference on multiple calls", () => {
const stats1 = getAuditStats();
const stats2 = getAuditStats();
assert.equal(stats1, stats2);
});
});
describe("auditChanges", () => {
it("should return empty allowed and disallowed arrays when no changes provided", async () => {
const result = await auditChanges([]);
assert.deepEqual(result.allowedChanges, []);
assert.deepEqual(result.disallowedChanges, []);
assert.equal(result.isAllowed, true);
});
it("should mark package as allowed when not malware", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const changes = [{ name: "lodash", version: "4.17.21", type: "add" }];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 1);
assert.equal(result.disallowedChanges.length, 0);
assert.equal(result.isAllowed, true);
assert.deepEqual(result.allowedChanges[0], changes[0]);
});
it("should mark package as disallowed when malware detected", async () => {
mockIsMalware.mock.mockImplementation(() => true);
const changes = [
{ name: "malicious-pkg", version: "1.0.0", type: "add" },
];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 0);
assert.equal(result.disallowedChanges.length, 1);
assert.equal(result.isAllowed, false);
assert.equal(result.disallowedChanges[0].name, "malicious-pkg");
assert.equal(result.disallowedChanges[0].version, "1.0.0");
assert.equal(result.disallowedChanges[0].reason, "malware");
});
it("should handle mixed safe and malware packages", async () => {
mockIsMalware.mock.mockImplementation((name) => {
return name === "malicious-pkg";
});
const changes = [
{ name: "lodash", version: "4.17.21", type: "add" },
{ name: "malicious-pkg", version: "1.0.0", type: "add" },
{ name: "express", version: "4.18.0", type: "add" },
];
const result = await auditChanges(changes);
assert.equal(result.allowedChanges.length, 2);
assert.equal(result.disallowedChanges.length, 1);
assert.equal(result.isAllowed, false);
assert.equal(result.disallowedChanges[0].name, "malicious-pkg");
});
it("should only check malware for add and change types", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const changes = [
{ name: "pkg1", version: "1.0.0", type: "add" },
{ name: "pkg2", version: "2.0.0", type: "change" },
{ name: "pkg3", version: "3.0.0", type: "remove" },
];
await auditChanges(changes);
// Should only check pkg1 and pkg2, not pkg3 (remove type)
assert.equal(mockIsMalware.mock.calls.length, 2);
});
it("should increment totalPackages counter for each package", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.totalPackages;
const changes = [
{ name: "pkg1", version: "1.0.0", type: "add" },
{ name: "pkg2", version: "2.0.0", type: "add" },
{ name: "pkg3", version: "3.0.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.totalPackages, initialCount + 3);
});
it("should increment safePackages counter for safe packages", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.safePackages;
const changes = [
{ name: "lodash", version: "4.17.21", type: "add" },
{ name: "express", version: "4.18.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.safePackages, initialCount + 2);
});
it("should increment malwarePackages counter for malware packages", async () => {
mockIsMalware.mock.mockImplementation(() => true);
const statsBefore = getAuditStats();
const initialCount = statsBefore.malwarePackages;
const changes = [
{ name: "malicious-1", version: "1.0.0", type: "add" },
{ name: "malicious-2", version: "2.0.0", type: "add" },
];
await auditChanges(changes);
const statsAfter = getAuditStats();
assert.equal(statsAfter.malwarePackages, initialCount + 2);
});
it("should accumulate stats across multiple auditChanges calls", async () => {
mockIsMalware.mock.mockImplementation(() => false);
const statsBefore = getAuditStats();
const initialCount = statsBefore.totalPackages;
// First call
await auditChanges([{ name: "pkg1", version: "1.0.0", type: "add" }]);
// Second call
await auditChanges([{ name: "pkg2", version: "2.0.0", type: "add" }]);
const statsAfter = getAuditStats();
assert.equal(statsAfter.totalPackages, initialCount + 2);
});
});
});

2
test/e2e/bun.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: bun coverage", () => {
const result = await shell.runCommand("bun i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/npm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: npm coverage using PATH", () => {
const result = await shell.runCommand("npm i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/npm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: npm coverage", () => {
const result = await shell.runCommand("npm i axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

122
test/e2e/pip.e2e.spec.js
View file

@ -28,10 +28,12 @@ describe("E2E: pip coverage", () => {
it(`successfully installs known safe packages with pip3`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install --break-system-packages requests");
const result = await shell.runCommand(
"pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -41,7 +43,7 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 download requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -51,57 +53,63 @@ describe("E2E: pip coverage", () => {
const result = await shell.runCommand("pip3 wheel requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install --dry-run is respected by scanner`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand("pip3 install --dry-run --break-system-packages requests");
const result = await shell.runCommand(
"pip3 install --dry-run --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install with extras such as requests[socks]`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install --break-system-packages "requests[socks]==2.32.3"');
const result = await shell.runCommand(
'pip3 install --break-system-packages "requests[socks]==2.32.3"'
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`pip3 install with range version specifier`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('pip3 install --break-system-packages "Jinja2>=3.1,<3.2"');
const result = await shell.runCommand(
'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`python3 -m pip install routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests');
const result = await shell.runCommand("python3 -m pip install requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it(`python3 -m pip download routes through safe-chain`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip download requests');
const result = await shell.runCommand("python3 -m pip download requests");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
@ -111,7 +119,9 @@ describe("E2E: pip coverage", () => {
// Clear pip cache to ensure network download through proxy
await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand("pip3 install --break-system-packages safe-chain-pi-test");
const result = await shell.runCommand(
"pip3 install --break-system-packages safe-chain-pi-test"
);
assert.ok(
result.output.includes("blocked 1 malicious package downloads:"),
@ -135,60 +145,72 @@ describe("E2E: pip coverage", () => {
it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip install --break-system-packages requests');
const result = await shell.runCommand(
"python -m pip install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python -m pip3 install --break-system-packages requests');
const result = await shell.runCommand(
"python -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip install --break-system-packages requests');
const result = await shell.runCommand(
"python3 -m pip install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand('python3 -m pip3 install --break-system-packages requests');
const result = await shell.runCommand(
"python3 -m pip3 install --break-system-packages requests"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify it completed successfully (would fail if routing was incorrect)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation did not succeed. Output was:\n${result.output}`
);
});
@ -197,17 +219,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Install a simple package from GitHub - this should use TCP tunnel, not MITM
// Using a popular, small package for testing
const result = await shell.runCommand('pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3');
const result = await shell.runCommand(
"pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
// Verify installation succeeded (would fail if certificate validation via env CA bundle broke)
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}`
);
// Verify package was actually installed
@ -223,10 +248,12 @@ describe("E2E: pip coverage", () => {
// Clear cache to force network download through proxy
await shell.runCommand("pip3 cache purge");
const result = await shell.runCommand('pip3 install --break-system-packages certifi');
const result = await shell.runCommand(
"pip3 install --break-system-packages certifi"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
@ -238,7 +265,9 @@ describe("E2E: pip coverage", () => {
// Should NOT contain SSL or certificate errors
assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i),
!result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors. Output was:\n${result.output}`
);
});
@ -247,17 +276,20 @@ describe("E2E: pip coverage", () => {
const shell = await container.openShell("zsh");
// Test installing from a direct HTTPS URL (not a registry)
// This validates that non-registry HTTPS traffic works with our env-provided CA bundle
const result = await shell.runCommand('pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl');
const result = await shell.runCommand(
"pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Since this is from pythonhosted.org, it should be MITM'd by safe-chain
// But the certificate validation should still work
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from direct HTTPS URL failed. Output was:\n${result.output}`
);
});
@ -267,24 +299,28 @@ describe("E2E: pip coverage", () => {
// Use Test PyPI which is NOT in knownPipRegistries
// This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
// If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi');
const result = await shell.runCommand(
"pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
);
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
// Should succeed if CA bundle properly handles tunneled hosts
assert.ok(
result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
result.output.includes("Successfully installed") ||
result.output.includes("Requirement already satisfied"),
`Installation from Test PyPI failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}`
);
// Should NOT contain certificate verification errors
assert.ok(
!result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i),
!result.output.match(
/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i
),
`Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}`
);
});
});

2
test/e2e/pnpm-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/pnpm.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: pnpm coverage", () => {
const result = await shell.runCommand("pnpm add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/yarn-ci.e2e.spec.js
View file

@ -36,7 +36,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});

2
test/e2e/yarn.e2e.spec.js
View file

@ -31,7 +31,7 @@ describe("E2E: yarn coverage", () => {
const result = await shell.runCommand("yarn add axios");
assert.ok(
result.output.includes("no malicious packages found."),
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});