mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 04:00:49 +00:00
123 lines
4.2 KiB
JavaScript
123 lines
4.2 KiB
JavaScript
import { describe, it, before, beforeEach, afterEach } from "node:test";
|
|
import { DockerTestContainer } from "./DockerTestContainer.js";
|
|
import assert from "node:assert";
|
|
|
|
describe("E2E: npm coverage", () => {
|
|
let container;
|
|
|
|
before(async () => {
|
|
DockerTestContainer.buildImage();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
// Run a new Docker container for each test
|
|
container = new DockerTestContainer();
|
|
await container.start();
|
|
|
|
const installationShell = await container.openShell("zsh");
|
|
await installationShell.runCommand("safe-chain setup");
|
|
});
|
|
|
|
afterEach(async () => {
|
|
// Stop and clean up the container after each test
|
|
if (container) {
|
|
await container.stop();
|
|
container = null;
|
|
}
|
|
});
|
|
|
|
it(`safe-chain succesfully installs safe packages`, async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand(
|
|
"npm i axios@1.13.0 --safe-chain-logging=verbose"
|
|
);
|
|
|
|
assert.ok(
|
|
result.output.includes("no malware found."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
|
|
it(`safe-chain blocks installation of malicious packages`, async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand("npm i safe-chain-test");
|
|
|
|
assert.ok(
|
|
result.output.includes("Malicious changes detected:"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
|
|
const listResult = await shell.runCommand("npm list");
|
|
assert.ok(
|
|
!listResult.output.includes("safe-chain-test"),
|
|
`Malicious package was installed despite safe-chain protection. Output of 'npm list' was:\n${listResult.output}`
|
|
);
|
|
});
|
|
|
|
it(`safe-chain blocks download of malicious packages already in package.json`, async () => {
|
|
const shell = await container.openShell("zsh");
|
|
await shell.runCommand(
|
|
'echo \'{"name":"test-project","version":"1.0.0","dependencies":{"safe-chain-test":"0.0.1-security"}}\' > package.json'
|
|
);
|
|
|
|
var result = await shell.runCommand("npm install");
|
|
|
|
assert.match(
|
|
result.output,
|
|
/blocked [1-9]\d* malicious package downloads/,
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
|
|
it("safe-chain blocks npx from executing malicious packages", async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand("npx safe-chain-test");
|
|
|
|
assert.ok(
|
|
result.output.includes("Malicious changes detected:"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
|
|
it("safe-chain blocks npm exec from executing malicious packages", async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand("npm exec safe-chain-test");
|
|
|
|
assert.ok(
|
|
result.output.includes("Malicious changes detected:"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
});
|