milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
AikidoSec-safe-chain/test/e2e/rush.e2e.spec.js
James McMeeking e891d1a992
Update e2e suite to cover supported package managers
2026-05-08 13:13:37 +01:00

150 lines
4.9 KiB
JavaScript
Raw Blame History

import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";
describe("E2E: rush coverage", () => {
let container;
const packageManagerConfigs = [
{ name: "pnpm", versionField: "pnpmVersion", version: "latest" },
{ name: "yarn", versionField: "yarnVersion", version: "latest" },
{ name: "npm", versionField: "npmVersion", version: "latest" },
];
before(async () => {
DockerTestContainer.buildImage();
});
beforeEach(async () => {
container = new DockerTestContainer();
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup");
await setupRushWorkspace(installationShell);
});
afterEach(async () => {
if (container) {
await container.stop();
container = null;
}
});
it("safe-chain successfully adds safe packages", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"cd /testapp/apps/test-app && rush add --package axios@1.13.0 --exact --skip-update --safe-chain-logging=verbose"
);
assert.ok(
result.output.includes("no malware found."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
it("safe-chain blocks rush add of malicious packages", async () => {
const shell = await container.openShell("zsh");
const result = await shell.runCommand(
"cd /testapp/apps/test-app && rush add --package safe-chain-test --skip-update"
);
assert.ok(
result.output.includes("Malicious changes detected:"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
const packageJson = await shell.runCommand(
"cat /testapp/apps/test-app/package.json"
);
assert.ok(
!packageJson.output.includes("safe-chain-test"),
`Malicious package was added despite safe-chain protection. Output was:\n${packageJson.output}`
);
});
for (const packageManagerConfig of packageManagerConfigs) {
it(`safe-chain proxy blocks malicious package downloads during rush update with ${packageManagerConfig.name}`, async () => {
const shell = await container.openShell("zsh");
await setupRushWorkspace(shell, {
packageManagerConfig,
packageJson: `{
"name": "test-app",
"version": "1.0.0",
"dependencies": {
"safe-chain-test": "0.0.1-security"
}
}`,
});
const result = await shell.runCommand("cd /testapp/apps/test-app && rush update");
assert.ok(
result.output.includes("blocked 1 malicious package downloads"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("- safe-chain-test"),
`Output did not include expected text. Output was:\n${result.output}`
);
assert.ok(
result.output.includes("Exiting without installing malicious packages."),
`Output did not include expected text. Output was:\n${result.output}`
);
});
}
});
async function setupRushWorkspace(shell, options = {}) {
const packageManagerConfig = options.packageManagerConfig ?? {
versionField: "pnpmVersion",
version: "11.0.6",
};
const packageJson = options.packageJson ?? `{
"name": "test-app",
"version": "1.0.0"
}`;
const rushConfig = {
$schema: "https://developer.microsoft.com/json-schemas/rush/v5/rush.schema.json",
rushVersion: "5.175.1",
[packageManagerConfig.versionField]: packageManagerConfig.version,
nodeSupportedVersionRange: ">=18.0.0",
projectFolderMinDepth: 1,
projectFolderMaxDepth: 2,
gitPolicy: {},
repository: {
url: "https://example.com/testapp.git",
defaultBranch: "main",
},
eventHooks: {
preRushInstall: [],
postRushInstall: [],
preRushBuild: [],
postRushBuild: [],
},
projects: [
{
packageName: "test-app",
projectFolder: "apps/test-app",
},
],
};
await shell.runCommand("rm -rf /testapp/common /testapp/apps/test-app");
await shell.runCommand("mkdir -p /testapp/apps/test-app");
await writeTextFile(shell, "/testapp/rush.json", JSON.stringify(rushConfig, null, 2));
await writeTextFile(shell, "/testapp/apps/test-app/package.json", packageJson);
}
async function writeTextFile(shell, filePath, content) {
const encoded = Buffer.from(content).toString("base64");
await shell.runCommand(`printf '%s' '${encoded}' | base64 -d > ${filePath}`);
}
Reference in a new issue View git blame Copy permalink