mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 20:20:49 +00:00
148 lines
4.8 KiB
JavaScript
148 lines
4.8 KiB
JavaScript
import { describe, it, before, beforeEach, afterEach } from "node:test";
|
|
import { DockerTestContainer } from "./DockerTestContainer.js";
|
|
import {
|
|
buildRushConfig,
|
|
resolveRushVersions,
|
|
writeTextFile,
|
|
} from "./utils/rushtestutils.mjs";
|
|
import assert from "node:assert";
|
|
|
|
// These tests cover safe-chain's Rush wrapper: pre-scanning `rush add` and
|
|
// blocking malicious packages downloaded during `rush update` via the MITM
|
|
// proxy. They use a single Rush-internal package manager (pnpm) — see
|
|
// `utils/rushtestutils.mjs` for why this suite isn't parameterised over the
|
|
// CI matrix's NPM_VERSION/PNPM_VERSION/YARN_VERSION values.
|
|
|
|
describe("E2E: rush coverage", () => {
|
|
let container;
|
|
/** @type {{ rushVersion: string, pnpmVersion: string } | undefined} */
|
|
let resolvedVersions;
|
|
|
|
before(async () => {
|
|
DockerTestContainer.buildImage();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
container = new DockerTestContainer();
|
|
await container.start();
|
|
|
|
const installationShell = await container.openShell("zsh");
|
|
await installationShell.runCommand("safe-chain setup");
|
|
|
|
if (!resolvedVersions) {
|
|
resolvedVersions = await resolveRushVersions(installationShell);
|
|
}
|
|
|
|
await setupRushWorkspace(installationShell, { resolvedVersions });
|
|
});
|
|
|
|
afterEach(async () => {
|
|
if (container) {
|
|
await container.stop();
|
|
container = null;
|
|
}
|
|
});
|
|
|
|
it("safe-chain successfully adds safe packages", async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand(
|
|
"cd /testapp/apps/test-app && rush add --package axios@1.13.0 --exact --skip-update --safe-chain-logging=verbose"
|
|
);
|
|
|
|
assert.ok(
|
|
result.output.includes("no malware found."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
|
|
it("safe-chain blocks rush add of malicious packages", async () => {
|
|
const shell = await container.openShell("zsh");
|
|
const result = await shell.runCommand(
|
|
"cd /testapp/apps/test-app && rush add --package safe-chain-test --skip-update"
|
|
);
|
|
|
|
assert.ok(
|
|
result.output.includes("Malicious changes detected:"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
|
|
const packageJson = await shell.runCommand(
|
|
"cat /testapp/apps/test-app/package.json"
|
|
);
|
|
|
|
assert.ok(
|
|
!packageJson.output.includes("safe-chain-test"),
|
|
`Malicious package was added despite safe-chain protection. Output was:\n${packageJson.output}`
|
|
);
|
|
});
|
|
|
|
it("safe-chain proxy blocks malicious package downloads during rush update", async () => {
|
|
const shell = await container.openShell("zsh");
|
|
await setupRushWorkspace(shell, {
|
|
resolvedVersions,
|
|
packageJson: `{
|
|
"name": "test-app",
|
|
"version": "1.0.0",
|
|
"dependencies": {
|
|
"safe-chain-test": "0.0.1-security"
|
|
}
|
|
}`,
|
|
});
|
|
|
|
// `--safe-chain-skip-minimum-package-age` is needed because Rush's
|
|
// internal pnpm bootstrap (`npm install pnpm@<resolvedVersion>`) goes
|
|
// through the safe-chain proxy. When the CI matrix selects pnpm
|
|
// `latest`, the just-released version can be below the minimum age
|
|
// threshold and Rush's install would otherwise be blocked before our
|
|
// malicious-download assertion is reached.
|
|
const result = await shell.runCommand(
|
|
"cd /testapp/apps/test-app && rush update --safe-chain-skip-minimum-package-age"
|
|
);
|
|
|
|
assert.match(
|
|
result.output,
|
|
/blocked \d+ malicious package downloads/,
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("- safe-chain-test"),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
assert.ok(
|
|
result.output.includes("Exiting without installing malicious packages."),
|
|
`Output did not include expected text. Output was:\n${result.output}`
|
|
);
|
|
});
|
|
});
|
|
|
|
async function setupRushWorkspace(shell, { resolvedVersions, packageJson }) {
|
|
const rushConfig = buildRushConfig({
|
|
rushVersion: resolvedVersions.rushVersion,
|
|
pnpmVersion: resolvedVersions.pnpmVersion,
|
|
});
|
|
|
|
await shell.runCommand("rm -rf /testapp/common /testapp/apps/test-app");
|
|
await shell.runCommand("mkdir -p /testapp/apps/test-app");
|
|
await writeTextFile(
|
|
shell,
|
|
"/testapp/rush.json",
|
|
JSON.stringify(rushConfig, null, 2)
|
|
);
|
|
await writeTextFile(
|
|
shell,
|
|
"/testapp/apps/test-app/package.json",
|
|
packageJson ??
|
|
`{
|
|
"name": "test-app",
|
|
"version": "1.0.0"
|
|
}`
|
|
);
|
|
}
|