ktg-plugin-marketplace/plugins/llm-security/tests/hooks/pre-install-supply-chain.test.mjs

// pre-install-supply-chain.test.mjs — Tests for hooks/scripts/pre-install-supply-chain.mjs
// Zero external dependencies: node:test + node:assert only.
//
// IMPORTANT: This hook makes network calls for unknown packages (npm view, PyPI API, OSV.dev).
// We ONLY test deterministic behavior:
//   1. Non-install commands that exit immediately (no network)
//   2. Known-compromised packages from the hardcoded blocklist (no network needed)
// Any test requiring a network response is excluded.

import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { runHook } from './hook-helper.mjs';

const SCRIPT = resolve(import.meta.dirname, '../../hooks/scripts/pre-install-supply-chain.mjs');

function bashPayload(command) {
  return { tool_name: 'Bash', tool_input: { command } };
}

// ---------------------------------------------------------------------------
// ALLOW cases — non-install commands exit immediately without network calls
// ---------------------------------------------------------------------------

describe('pre-install-supply-chain — ALLOW (non-install commands)', () => {
  it('allows ls -la immediately because it is not a package install command', async () => {
    const result = await runHook(SCRIPT, bashPayload('ls -la'));
    assert.equal(result.code, 0);
  });

  it('allows npm run build immediately because it is not an install command', async () => {
    const result = await runHook(SCRIPT, bashPayload('npm run build'));
    assert.equal(result.code, 0);
  });

  it('allows git status immediately because it is not a package install command', async () => {
    const result = await runHook(SCRIPT, bashPayload('git status'));
    assert.equal(result.code, 0);
  });

  it('exits 0 gracefully when stdin is not valid JSON', async () => {
    const result = await runHook(SCRIPT, 'not json {{{');
    assert.equal(result.code, 0);
  });
});

// ---------------------------------------------------------------------------
// BLOCK cases — known-compromised packages from hardcoded blocklist
// These are deterministic: no network call is needed because the name/version
// matches the in-memory NPM_COMPROMISED or PIP_COMPROMISED map.
// ---------------------------------------------------------------------------

describe('pre-install-supply-chain — BLOCK (hardcoded compromised blocklist)', () => {
  it('blocks npm install event-stream@3.3.6 (NPM_COMPROMISED — known supply chain attack)', async () => {
    const result = await runHook(SCRIPT, bashPayload('npm install event-stream@3.3.6'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /event-stream/);
  });

  it('blocks npm install ua-parser-js@0.7.29 (NPM_COMPROMISED — known supply chain attack)', async () => {
    const result = await runHook(SCRIPT, bashPayload('npm install ua-parser-js@0.7.29'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /ua-parser-js/);
  });

  it('blocks pip install jeIlyfish (PIP_COMPROMISED — homoglyph typosquat of jellyfish)', async () => {
    const result = await runHook(SCRIPT, bashPayload('pip install jeIlyfish'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /jeIlyfish/);
  });

  it('blocks pip install python3-dateutil (PIP_COMPROMISED — python-dateutil typosquat)', async () => {
    const result = await runHook(SCRIPT, bashPayload('pip install python3-dateutil'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /python3-dateutil/);
  });
});

// ---------------------------------------------------------------------------
// BASH EVASION — obfuscated package install commands that should be caught
// after normalizeBashExpansion deobfuscates them.
// Single-char ${x} evasion uses variable name = intended character.
// ---------------------------------------------------------------------------

describe('pre-install-supply-chain — bash evasion BLOCK cases', () => {
  it('blocks n""pm install event-stream@3.3.6 (empty quote evasion)', async () => {
    const result = await runHook(SCRIPT, bashPayload('n""pm install event-stream@3.3.6'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /event-stream/);
  });

  it('blocks n${p}m install ua-parser-js@0.7.29 (single-char expansion: p=p)', async () => {
    const result = await runHook(SCRIPT, bashPayload('n${p}m install ua-parser-js@0.7.29'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /ua-parser-js/);
  });

  it("blocks p''ip install jeIlyfish (single quote evasion)", async () => {
    const result = await runHook(SCRIPT, bashPayload("p''ip install jeIlyfish"));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /jeIlyfish/);
  });

  it('blocks p${i}p install python3-dateutil (single-char expansion: i=i)', async () => {
    const result = await runHook(SCRIPT, bashPayload('p${i}p install python3-dateutil'));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /python3-dateutil/);
  });

  it("blocks y''arn add event-stream@3.3.6 (yarn with quote evasion)", async () => {
    const result = await runHook(SCRIPT, bashPayload("y''arn add event-stream@3.3.6"));
    assert.equal(result.code, 2);
    assert.match(result.stderr, /BLOCKED|COMPROMISED/i);
    assert.match(result.stderr, /event-stream/);
  });
});

describe('pre-install-supply-chain — bash evasion ALLOW (non-install)', () => {
  it('allows l""s -la (non-install command, even with evasion)', async () => {
    const result = await runHook(SCRIPT, bashPayload('l""s -la'));
    assert.equal(result.code, 0);
  });

  it('allows g${i}t status (non-install command)', async () => {
    const result = await runHook(SCRIPT, bashPayload('g${i}t status'));
    assert.equal(result.code, 0);
  });
});