fix(llm-security): supply-chain gate bypasses — npm/yarn blocklist + pip-audit (#14-#19,#48)
#18 dep-auditor called 'pip audit' (no such subcommand) so Python CVE detection was a permanent silent no-op; now spawns 'pip-audit' with an argv array. #19 it audited the scanner HOST's env with results mislabelled to the target's requirements.txt; now audits the target via -r and skips cleanly when absent. #14 the offline npm blocklist was skipped for bare/range/tag installs because it used the (null) parsed-spec version; now re-checks the resolved version before the OSV network path. #15 non-hoisted nested lockfile keys derived the wrong package name (leading-only node_modules/ strip); now strips to the last segment. #48 lockfileVersion-1 nested dependency trees are now walked recursively. #16/#17 the yarn.lock matcher paired two unassociated whole-file substrings with an unanchored pkg@ (false BLOCK of a legit package) and only matched Yarn Classic quoted versions (Berry known-malware allowed); rewritten as a per-entry parser that associates version to its own entry, anchors the name, and matches both Classic and Berry. Suite 1931/0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
This commit is contained in:
parent
76f190cf78
commit
196517f38a
4 changed files with 330 additions and 24 deletions
|
|
@ -152,6 +152,18 @@ async function checkNpm() {
|
|||
|
||||
const resolvedVersion = meta.version;
|
||||
|
||||
// Bare/range/tag installs (`npm i axios`) parse no version, so the blocklist
|
||||
// check above ran with version=null and no-oped for version-pinned entries.
|
||||
// Re-check against the registry-resolved version so the offline blocklist
|
||||
// still applies before any network-dependent checks.
|
||||
if (isCompromised(NPM_COMPROMISED, name, resolvedVersion)) {
|
||||
blocks.push(
|
||||
`COMPROMISED: ${name}@${resolvedVersion} (registry-resolved)\n` +
|
||||
` Known supply chain attack. See: https://socket.dev/npm/package/${name}`
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
||||
// --- Advisory check (OSV.dev) — catches compromised established packages ---
|
||||
const advisories = await queryOSV('npm', name, resolvedVersion);
|
||||
if (advisories.critical.length > 0) {
|
||||
|
|
@ -281,11 +293,28 @@ function scanNpmLockfile() {
|
|||
if (existsSync(lockPath)) {
|
||||
try {
|
||||
const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
|
||||
for (const [key, info] of Object.entries(lock.packages || lock.dependencies || {})) {
|
||||
const name = key.replace(/^node_modules\//, '');
|
||||
if (name && isCompromised(NPM_COMPROMISED, name, info.version)) {
|
||||
findings.push({ name, version: info.version, source: 'package-lock.json' });
|
||||
if (lock.packages) {
|
||||
// lockfileVersion 2/3: flat map keyed by install path. Non-hoisted
|
||||
// copies nest ("node_modules/a/node_modules/evil") — strip to the
|
||||
// LAST node_modules/ segment to recover the package name.
|
||||
for (const [key, info] of Object.entries(lock.packages)) {
|
||||
const name = key.replace(/^.*node_modules\//, '');
|
||||
if (name && isCompromised(NPM_COMPROMISED, name, info.version)) {
|
||||
findings.push({ name, version: info.version, source: 'package-lock.json' });
|
||||
}
|
||||
}
|
||||
} else if (lock.dependencies) {
|
||||
// lockfileVersion 1: dependencies is a nested tree — recurse so a
|
||||
// non-hoisted nested copy of a blocklisted package is still found.
|
||||
const walk = (deps) => {
|
||||
for (const [name, info] of Object.entries(deps)) {
|
||||
if (info && isCompromised(NPM_COMPROMISED, name, info.version)) {
|
||||
findings.push({ name, version: info.version, source: 'package-lock.json' });
|
||||
}
|
||||
if (info && info.dependencies) walk(info.dependencies);
|
||||
}
|
||||
};
|
||||
walk(lock.dependencies);
|
||||
}
|
||||
} catch { /* ignore */ }
|
||||
}
|
||||
|
|
@ -294,10 +323,28 @@ function scanNpmLockfile() {
|
|||
if (existsSync(yarnLock)) {
|
||||
try {
|
||||
const content = readFileSync(yarnLock, 'utf-8');
|
||||
for (const [pkg, versions] of Object.entries(NPM_COMPROMISED)) {
|
||||
for (const v of versions) {
|
||||
if (v === '*' ? content.includes(`${pkg}@`) : content.includes(`version "${v}"`) && content.includes(`${pkg}@`)) {
|
||||
findings.push({ name: pkg, version: v === '*' ? '(any)' : v, source: 'yarn.lock' });
|
||||
// Parse per entry: an entry starts at column 0 with one or more specs
|
||||
// ending in ':' ("pkg@range" / Berry '"pkg@npm:range"'), followed by an
|
||||
// indented body carrying `version "x"` (Classic v1) or `version: x`
|
||||
// (Berry v2+). The version is associated with ITS OWN entry, and the
|
||||
// package name is matched exactly (no unanchored substring matching).
|
||||
for (const entry of content.split(/\n(?=\S)/)) {
|
||||
const nl = entry.indexOf('\n');
|
||||
if (nl === -1) continue;
|
||||
const header = entry.slice(0, nl).trim();
|
||||
if (!header.endsWith(':') || header.startsWith('#')) continue;
|
||||
const vMatch = entry.match(/^\s+version:?\s+"?([^"\s]+)"?\s*$/m);
|
||||
const entryVersion = vMatch ? vMatch[1] : null;
|
||||
const names = new Set(header.slice(0, -1).split(',').map(part => {
|
||||
const spec = part.trim().replace(/^"|"$/g, '');
|
||||
const at = spec.indexOf('@', spec.startsWith('@') ? 1 : 0);
|
||||
return at > 0 ? spec.slice(0, at) : spec;
|
||||
}));
|
||||
for (const name of names) {
|
||||
for (const v of NPM_COMPROMISED[name] || []) {
|
||||
if (v === '*' || v === entryVersion) {
|
||||
findings.push({ name, version: v === '*' ? '(any)' : v, source: 'yarn.lock' });
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import { levenshtein, tokenize, tokenOverlap, TYPOSQUAT_SUSPICIOUS_TOKENS } from
|
|||
import { readFile } from 'node:fs/promises';
|
||||
import { join, dirname } from 'node:path';
|
||||
import { existsSync } from 'node:fs';
|
||||
import { execSync } from 'node:child_process';
|
||||
import { execSync, spawnSync } from 'node:child_process';
|
||||
import { fileURLToPath } from 'node:url';
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
|
@ -181,23 +181,24 @@ function runNpmAudit(targetPath) {
|
|||
}
|
||||
|
||||
/**
|
||||
* Run pip audit --format json and return findings.
|
||||
* Gracefully handles pip audit not installed, timeout, parse errors.
|
||||
* Run pip-audit --format json against the TARGET's requirements.txt.
|
||||
* Skips cleanly when the target has no requirements.txt — auditing the
|
||||
* scanner host's environment would misattribute host findings to the target.
|
||||
* Gracefully handles pip-audit not installed, timeout, parse errors.
|
||||
* @param {string} targetPath
|
||||
* @returns {object[]} findings
|
||||
*/
|
||||
function runPipAudit(targetPath) {
|
||||
const findings = [];
|
||||
let raw;
|
||||
try {
|
||||
raw = execSync('pip audit --format json', {
|
||||
cwd: targetPath,
|
||||
timeout: 30_000,
|
||||
stdio: ['ignore', 'pipe', 'ignore'],
|
||||
}).toString();
|
||||
} catch (err) {
|
||||
raw = err.stdout ? err.stdout.toString() : null;
|
||||
}
|
||||
const reqPath = join(targetPath, 'requirements.txt');
|
||||
if (!existsSync(reqPath)) return findings;
|
||||
const res = spawnSync('pip-audit', ['--format', 'json', '-r', reqPath], {
|
||||
cwd: targetPath,
|
||||
timeout: 30_000,
|
||||
encoding: 'utf-8',
|
||||
stdio: ['ignore', 'pipe', 'ignore'],
|
||||
});
|
||||
const raw = res.stdout || null;
|
||||
|
||||
if (!raw || raw.trim().length === 0) return findings;
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,10 @@
|
|||
|
||||
import { describe, it } from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { resolve } from 'node:path';
|
||||
import { runHook } from './hook-helper.mjs';
|
||||
import { join, resolve } from 'node:path';
|
||||
import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
|
||||
import { tmpdir } from 'node:os';
|
||||
import { runHook, runHookWithEnv } from './hook-helper.mjs';
|
||||
|
||||
const SCRIPT = resolve(import.meta.dirname, '../../hooks/scripts/pre-install-supply-chain.mjs');
|
||||
|
||||
|
|
@ -206,3 +208,167 @@ describe('pre-install-supply-chain — E13 scope-hopping (checkScopeHop)', () =>
|
|||
);
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// v7.8.3 supply-chain gate fixes (#14, #15, #48, #16, #17)
|
||||
// All deterministic + offline: an `npm` shim on PATH answers `npm view`
|
||||
// (fixed registry metadata) and `npm audit` (empty JSON), so no network
|
||||
// call is ever needed. CLAUDE_WORKING_DIR points at a per-test tmp project.
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
/** Create a PATH shim dir whose `npm` answers view/audit deterministically. */
|
||||
function makeNpmShim(viewJson) {
|
||||
const dir = mkdtempSync(join(tmpdir(), 'llmsec-supply-npmshim-'));
|
||||
writeFileSync(join(dir, 'npm'), [
|
||||
'#!/bin/sh',
|
||||
'if [ "$1" = "view" ]; then',
|
||||
` echo '${viewJson}'`,
|
||||
'else',
|
||||
" echo '{}'",
|
||||
'fi',
|
||||
'',
|
||||
].join('\n'), { mode: 0o755 });
|
||||
return dir;
|
||||
}
|
||||
|
||||
describe('pre-install-supply-chain — v7.8.3 gate fixes', () => {
|
||||
it('#14 blocks bare `npm install event-stream` when the registry resolves to compromised 3.3.6', async () => {
|
||||
// parseSpec yields version=null for a bare install, so the blocklist must
|
||||
// be re-checked against the registry-resolved version (meta.version).
|
||||
const shimDir = makeNpmShim('{"name":"event-stream","version":"3.3.6"}');
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install event-stream'), {
|
||||
PATH: `${shimDir}:${process.env.PATH}`,
|
||||
});
|
||||
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
|
||||
assert.match(result.stderr, /COMPROMISED: event-stream@3\.3\.6/);
|
||||
} finally {
|
||||
rmSync(shimDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('#15 blocks bare install when lockfileVersion 3 holds a non-hoisted nested compromised copy', async () => {
|
||||
const shimDir = makeNpmShim('{}');
|
||||
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
|
||||
writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({
|
||||
name: 'sample', lockfileVersion: 3, packages: {
|
||||
'': { name: 'sample' },
|
||||
'node_modules/a': { version: '1.0.0' },
|
||||
'node_modules/a/node_modules/event-stream': { version: '3.3.6' },
|
||||
},
|
||||
}));
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), {
|
||||
PATH: `${shimDir}:${process.env.PATH}`,
|
||||
CLAUDE_WORKING_DIR: projDir,
|
||||
});
|
||||
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
|
||||
assert.match(result.stderr, /event-stream@3\.3\.6/);
|
||||
assert.match(result.stderr, /package-lock\.json/);
|
||||
} finally {
|
||||
rmSync(shimDir, { recursive: true, force: true });
|
||||
rmSync(projDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('#48 blocks bare install when lockfileVersion 1 nests a compromised copy below top level', async () => {
|
||||
const shimDir = makeNpmShim('{}');
|
||||
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
|
||||
writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({
|
||||
name: 'sample', lockfileVersion: 1, dependencies: {
|
||||
a: {
|
||||
version: '1.0.0',
|
||||
dependencies: {
|
||||
'event-stream': { version: '3.3.6' },
|
||||
},
|
||||
},
|
||||
},
|
||||
}));
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), {
|
||||
PATH: `${shimDir}:${process.env.PATH}`,
|
||||
CLAUDE_WORKING_DIR: projDir,
|
||||
});
|
||||
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
|
||||
assert.match(result.stderr, /event-stream@3\.3\.6/);
|
||||
assert.match(result.stderr, /package-lock\.json/);
|
||||
} finally {
|
||||
rmSync(shimDir, { recursive: true, force: true });
|
||||
rmSync(projDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('#16 does NOT block yarn install for a clean yarn.lock (ansi-colors + unrelated version "1.4.1")', async () => {
|
||||
// Old matcher: unanchored `colors@` matched inside `ansi-colors@`, and the
|
||||
// compromised colors version "1.4.1" matched a DIFFERENT entry's version
|
||||
// line — two unassociated whole-file substrings caused a spurious BLOCK.
|
||||
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
|
||||
writeFileSync(join(projDir, 'yarn.lock'), [
|
||||
'# yarn lockfile v1',
|
||||
'',
|
||||
'ansi-colors@^4.1.1:',
|
||||
' version "4.1.3"',
|
||||
' resolved "https://registry.yarnpkg.com/ansi-colors/-/ansi-colors-4.1.3.tgz"',
|
||||
'',
|
||||
'harmless-pkg@^1.4.0:',
|
||||
' version "1.4.1"',
|
||||
' resolved "https://registry.yarnpkg.com/harmless-pkg/-/harmless-pkg-1.4.1.tgz"',
|
||||
'',
|
||||
].join('\n'));
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
|
||||
CLAUDE_WORKING_DIR: projDir,
|
||||
});
|
||||
assert.equal(result.code, 0, `Expected exit 0 (no block), got ${result.code}. stderr: ${result.stderr}`);
|
||||
} finally {
|
||||
rmSync(projDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('#17 blocks yarn install when a Berry yarn.lock pins compromised event-stream (version: x format)', async () => {
|
||||
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
|
||||
writeFileSync(join(projDir, 'yarn.lock'), [
|
||||
'# This file is generated by running "yarn install" inside your project.',
|
||||
'',
|
||||
'__metadata:',
|
||||
' version: 8',
|
||||
'',
|
||||
'"event-stream@npm:^3.3.6":',
|
||||
' version: 3.3.6',
|
||||
' resolution: "event-stream@npm:3.3.6"',
|
||||
'',
|
||||
].join('\n'));
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
|
||||
CLAUDE_WORKING_DIR: projDir,
|
||||
});
|
||||
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
|
||||
assert.match(result.stderr, /event-stream@3\.3\.6/);
|
||||
assert.match(result.stderr, /yarn\.lock/);
|
||||
} finally {
|
||||
rmSync(projDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('#16/#17 still blocks yarn install for a Classic yarn.lock pinning compromised event-stream', async () => {
|
||||
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
|
||||
writeFileSync(join(projDir, 'yarn.lock'), [
|
||||
'# yarn lockfile v1',
|
||||
'',
|
||||
'event-stream@^3.3.5:',
|
||||
' version "3.3.6"',
|
||||
' resolved "https://registry.yarnpkg.com/event-stream/-/event-stream-3.3.6.tgz"',
|
||||
'',
|
||||
].join('\n'));
|
||||
try {
|
||||
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
|
||||
CLAUDE_WORKING_DIR: projDir,
|
||||
});
|
||||
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
|
||||
assert.match(result.stderr, /event-stream@3\.3\.6/);
|
||||
assert.match(result.stderr, /yarn\.lock/);
|
||||
} finally {
|
||||
rmSync(projDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -9,8 +9,10 @@
|
|||
|
||||
import { describe, it, beforeEach } from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { resolve } from 'node:path';
|
||||
import { join, resolve } from 'node:path';
|
||||
import { fileURLToPath } from 'node:url';
|
||||
import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
|
||||
import { tmpdir } from 'node:os';
|
||||
import { resetCounter } from '../../scanners/lib/output.mjs';
|
||||
import { scan } from '../../scanners/dep-auditor.mjs';
|
||||
|
||||
|
|
@ -129,3 +131,93 @@ describe('dep-auditor integration', () => {
|
|||
assert.equal(result.findings[0].id, 'DS-DEP-001');
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// pip-audit invocation (v7.8.3 #18/#19)
|
||||
// The scanner must invoke the real `pip-audit` binary (not the nonexistent
|
||||
// `pip audit` subcommand), and it must audit the TARGET's requirements.txt
|
||||
// (-r <target>/requirements.txt) — never the scanner host's environment.
|
||||
// Both binaries are shimmed on PATH so the tests are deterministic + offline:
|
||||
// pip-audit — records its argv and emits one fixed vulnerability
|
||||
// pip — emits a "host environment" vulnerability the scanner must
|
||||
// never surface (proves host-env audits are gone)
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
function makePipShims(shimDir, argvLog) {
|
||||
writeFileSync(join(shimDir, 'pip-audit'), [
|
||||
'#!/bin/sh',
|
||||
`echo "$@" > "${argvLog}"`,
|
||||
`echo '{"dependencies":[{"name":"requests","version":"2.0.0","vulns":[{"id":"PYSEC-TEST-0001","fix_versions":["2.31.0"],"description":"shim vulnerability"}]}]}'`,
|
||||
'',
|
||||
].join('\n'), { mode: 0o755 });
|
||||
writeFileSync(join(shimDir, 'pip'), [
|
||||
'#!/bin/sh',
|
||||
`echo '{"dependencies":[{"name":"host-only-pkg","version":"1.0.0","vulns":[{"id":"PYSEC-HOST-9999","fix_versions":[],"description":"host environment"}]}]}'`,
|
||||
'',
|
||||
].join('\n'), { mode: 0o755 });
|
||||
}
|
||||
|
||||
describe('dep-auditor pip-audit invocation', () => {
|
||||
beforeEach(() => {
|
||||
resetCounter();
|
||||
});
|
||||
|
||||
it('invokes pip-audit with -r <target>/requirements.txt (not "pip audit" against the host)', async () => {
|
||||
const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-'));
|
||||
const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-'));
|
||||
const argvLog = join(shimDir, 'argv.log');
|
||||
makePipShims(shimDir, argvLog);
|
||||
writeFileSync(join(target, 'requirements.txt'), 'requests==2.0.0\n');
|
||||
|
||||
const oldPath = process.env.PATH;
|
||||
process.env.PATH = `${shimDir}:${oldPath}`;
|
||||
try {
|
||||
const result = await scan(target, { files: [] });
|
||||
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
|
||||
|
||||
const shimFinding = result.findings.find(f => f.title.includes('PYSEC-TEST-0001'));
|
||||
assert.ok(
|
||||
shimFinding,
|
||||
`Expected a finding from the pip-audit shim (PYSEC-TEST-0001). ` +
|
||||
`Findings: ${result.findings.map(f => f.title).join('; ')}`
|
||||
);
|
||||
const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999'));
|
||||
assert.equal(hostFinding, undefined, 'Host-environment audit result must never be surfaced');
|
||||
|
||||
assert.ok(existsSync(argvLog), 'pip-audit shim was never invoked');
|
||||
const argv = readFileSync(argvLog, 'utf8');
|
||||
assert.match(argv, /-r/, `pip-audit must receive -r, got argv: ${argv}`);
|
||||
assert.ok(
|
||||
argv.includes(join(target, 'requirements.txt')),
|
||||
`pip-audit must audit the target requirements.txt, got argv: ${argv}`
|
||||
);
|
||||
} finally {
|
||||
process.env.PATH = oldPath;
|
||||
rmSync(shimDir, { recursive: true, force: true });
|
||||
rmSync(target, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('skips the CVE audit cleanly when the target has pyproject.toml but no requirements.txt', async () => {
|
||||
const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-'));
|
||||
const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-'));
|
||||
const argvLog = join(shimDir, 'argv.log');
|
||||
makePipShims(shimDir, argvLog);
|
||||
writeFileSync(join(target, 'pyproject.toml'), '[project]\nname = "sample"\n');
|
||||
|
||||
const oldPath = process.env.PATH;
|
||||
process.env.PATH = `${shimDir}:${oldPath}`;
|
||||
try {
|
||||
const result = await scan(target, { files: [] });
|
||||
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
|
||||
|
||||
const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999'));
|
||||
assert.equal(hostFinding, undefined, 'Without requirements.txt the host env must not be audited');
|
||||
assert.equal(existsSync(argvLog), false, 'pip-audit must not run when requirements.txt is absent');
|
||||
} finally {
|
||||
process.env.PATH = oldPath;
|
||||
rmSync(shimDir, { recursive: true, force: true });
|
||||
rmSync(target, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue