diff --git a/hooks/scripts/pre-install-supply-chain.mjs b/hooks/scripts/pre-install-supply-chain.mjs index 4a1e736..32cb68f 100644 --- a/hooks/scripts/pre-install-supply-chain.mjs +++ b/hooks/scripts/pre-install-supply-chain.mjs @@ -152,6 +152,18 @@ async function checkNpm() { const resolvedVersion = meta.version; + // Bare/range/tag installs (`npm i axios`) parse no version, so the blocklist + // check above ran with version=null and no-oped for version-pinned entries. + // Re-check against the registry-resolved version so the offline blocklist + // still applies before any network-dependent checks. + if (isCompromised(NPM_COMPROMISED, name, resolvedVersion)) { + blocks.push( + `COMPROMISED: ${name}@${resolvedVersion} (registry-resolved)\n` + + ` Known supply chain attack. See: https://socket.dev/npm/package/${name}` + ); + continue; + } + // --- Advisory check (OSV.dev) — catches compromised established packages --- const advisories = await queryOSV('npm', name, resolvedVersion); if (advisories.critical.length > 0) { @@ -281,11 +293,28 @@ function scanNpmLockfile() { if (existsSync(lockPath)) { try { const lock = JSON.parse(readFileSync(lockPath, 'utf-8')); - for (const [key, info] of Object.entries(lock.packages || lock.dependencies || {})) { - const name = key.replace(/^node_modules\//, ''); - if (name && isCompromised(NPM_COMPROMISED, name, info.version)) { - findings.push({ name, version: info.version, source: 'package-lock.json' }); + if (lock.packages) { + // lockfileVersion 2/3: flat map keyed by install path. Non-hoisted + // copies nest ("node_modules/a/node_modules/evil") — strip to the + // LAST node_modules/ segment to recover the package name. + for (const [key, info] of Object.entries(lock.packages)) { + const name = key.replace(/^.*node_modules\//, ''); + if (name && isCompromised(NPM_COMPROMISED, name, info.version)) { + findings.push({ name, version: info.version, source: 'package-lock.json' }); + } } + } else if (lock.dependencies) { + // lockfileVersion 1: dependencies is a nested tree — recurse so a + // non-hoisted nested copy of a blocklisted package is still found. + const walk = (deps) => { + for (const [name, info] of Object.entries(deps)) { + if (info && isCompromised(NPM_COMPROMISED, name, info.version)) { + findings.push({ name, version: info.version, source: 'package-lock.json' }); + } + if (info && info.dependencies) walk(info.dependencies); + } + }; + walk(lock.dependencies); } } catch { /* ignore */ } } @@ -294,10 +323,28 @@ function scanNpmLockfile() { if (existsSync(yarnLock)) { try { const content = readFileSync(yarnLock, 'utf-8'); - for (const [pkg, versions] of Object.entries(NPM_COMPROMISED)) { - for (const v of versions) { - if (v === '*' ? content.includes(`${pkg}@`) : content.includes(`version "${v}"`) && content.includes(`${pkg}@`)) { - findings.push({ name: pkg, version: v === '*' ? '(any)' : v, source: 'yarn.lock' }); + // Parse per entry: an entry starts at column 0 with one or more specs + // ending in ':' ("pkg@range" / Berry '"pkg@npm:range"'), followed by an + // indented body carrying `version "x"` (Classic v1) or `version: x` + // (Berry v2+). The version is associated with ITS OWN entry, and the + // package name is matched exactly (no unanchored substring matching). + for (const entry of content.split(/\n(?=\S)/)) { + const nl = entry.indexOf('\n'); + if (nl === -1) continue; + const header = entry.slice(0, nl).trim(); + if (!header.endsWith(':') || header.startsWith('#')) continue; + const vMatch = entry.match(/^\s+version:?\s+"?([^"\s]+)"?\s*$/m); + const entryVersion = vMatch ? vMatch[1] : null; + const names = new Set(header.slice(0, -1).split(',').map(part => { + const spec = part.trim().replace(/^"|"$/g, ''); + const at = spec.indexOf('@', spec.startsWith('@') ? 1 : 0); + return at > 0 ? spec.slice(0, at) : spec; + })); + for (const name of names) { + for (const v of NPM_COMPROMISED[name] || []) { + if (v === '*' || v === entryVersion) { + findings.push({ name, version: v === '*' ? '(any)' : v, source: 'yarn.lock' }); + } } } } diff --git a/scanners/dep-auditor.mjs b/scanners/dep-auditor.mjs index 5927a23..efad68d 100644 --- a/scanners/dep-auditor.mjs +++ b/scanners/dep-auditor.mjs @@ -10,7 +10,7 @@ import { levenshtein, tokenize, tokenOverlap, TYPOSQUAT_SUSPICIOUS_TOKENS } from import { readFile } from 'node:fs/promises'; import { join, dirname } from 'node:path'; import { existsSync } from 'node:fs'; -import { execSync } from 'node:child_process'; +import { execSync, spawnSync } from 'node:child_process'; import { fileURLToPath } from 'node:url'; // --------------------------------------------------------------------------- @@ -181,23 +181,24 @@ function runNpmAudit(targetPath) { } /** - * Run pip audit --format json and return findings. - * Gracefully handles pip audit not installed, timeout, parse errors. + * Run pip-audit --format json against the TARGET's requirements.txt. + * Skips cleanly when the target has no requirements.txt — auditing the + * scanner host's environment would misattribute host findings to the target. + * Gracefully handles pip-audit not installed, timeout, parse errors. * @param {string} targetPath * @returns {object[]} findings */ function runPipAudit(targetPath) { const findings = []; - let raw; - try { - raw = execSync('pip audit --format json', { - cwd: targetPath, - timeout: 30_000, - stdio: ['ignore', 'pipe', 'ignore'], - }).toString(); - } catch (err) { - raw = err.stdout ? err.stdout.toString() : null; - } + const reqPath = join(targetPath, 'requirements.txt'); + if (!existsSync(reqPath)) return findings; + const res = spawnSync('pip-audit', ['--format', 'json', '-r', reqPath], { + cwd: targetPath, + timeout: 30_000, + encoding: 'utf-8', + stdio: ['ignore', 'pipe', 'ignore'], + }); + const raw = res.stdout || null; if (!raw || raw.trim().length === 0) return findings; diff --git a/tests/hooks/pre-install-supply-chain.test.mjs b/tests/hooks/pre-install-supply-chain.test.mjs index cb063de..a8820dc 100644 --- a/tests/hooks/pre-install-supply-chain.test.mjs +++ b/tests/hooks/pre-install-supply-chain.test.mjs @@ -9,8 +9,10 @@ import { describe, it } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve } from 'node:path'; -import { runHook } from './hook-helper.mjs'; +import { join, resolve } from 'node:path'; +import { mkdtempSync, rmSync, writeFileSync } from 'node:fs'; +import { tmpdir } from 'node:os'; +import { runHook, runHookWithEnv } from './hook-helper.mjs'; const SCRIPT = resolve(import.meta.dirname, '../../hooks/scripts/pre-install-supply-chain.mjs'); @@ -206,3 +208,167 @@ describe('pre-install-supply-chain — E13 scope-hopping (checkScopeHop)', () => ); }); }); + +// --------------------------------------------------------------------------- +// v7.8.3 supply-chain gate fixes (#14, #15, #48, #16, #17) +// All deterministic + offline: an `npm` shim on PATH answers `npm view` +// (fixed registry metadata) and `npm audit` (empty JSON), so no network +// call is ever needed. CLAUDE_WORKING_DIR points at a per-test tmp project. +// --------------------------------------------------------------------------- + +/** Create a PATH shim dir whose `npm` answers view/audit deterministically. */ +function makeNpmShim(viewJson) { + const dir = mkdtempSync(join(tmpdir(), 'llmsec-supply-npmshim-')); + writeFileSync(join(dir, 'npm'), [ + '#!/bin/sh', + 'if [ "$1" = "view" ]; then', + ` echo '${viewJson}'`, + 'else', + " echo '{}'", + 'fi', + '', + ].join('\n'), { mode: 0o755 }); + return dir; +} + +describe('pre-install-supply-chain — v7.8.3 gate fixes', () => { + it('#14 blocks bare `npm install event-stream` when the registry resolves to compromised 3.3.6', async () => { + // parseSpec yields version=null for a bare install, so the blocklist must + // be re-checked against the registry-resolved version (meta.version). + const shimDir = makeNpmShim('{"name":"event-stream","version":"3.3.6"}'); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('npm install event-stream'), { + PATH: `${shimDir}:${process.env.PATH}`, + }); + assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`); + assert.match(result.stderr, /COMPROMISED: event-stream@3\.3\.6/); + } finally { + rmSync(shimDir, { recursive: true, force: true }); + } + }); + + it('#15 blocks bare install when lockfileVersion 3 holds a non-hoisted nested compromised copy', async () => { + const shimDir = makeNpmShim('{}'); + const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-')); + writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({ + name: 'sample', lockfileVersion: 3, packages: { + '': { name: 'sample' }, + 'node_modules/a': { version: '1.0.0' }, + 'node_modules/a/node_modules/event-stream': { version: '3.3.6' }, + }, + })); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), { + PATH: `${shimDir}:${process.env.PATH}`, + CLAUDE_WORKING_DIR: projDir, + }); + assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`); + assert.match(result.stderr, /event-stream@3\.3\.6/); + assert.match(result.stderr, /package-lock\.json/); + } finally { + rmSync(shimDir, { recursive: true, force: true }); + rmSync(projDir, { recursive: true, force: true }); + } + }); + + it('#48 blocks bare install when lockfileVersion 1 nests a compromised copy below top level', async () => { + const shimDir = makeNpmShim('{}'); + const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-')); + writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({ + name: 'sample', lockfileVersion: 1, dependencies: { + a: { + version: '1.0.0', + dependencies: { + 'event-stream': { version: '3.3.6' }, + }, + }, + }, + })); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), { + PATH: `${shimDir}:${process.env.PATH}`, + CLAUDE_WORKING_DIR: projDir, + }); + assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`); + assert.match(result.stderr, /event-stream@3\.3\.6/); + assert.match(result.stderr, /package-lock\.json/); + } finally { + rmSync(shimDir, { recursive: true, force: true }); + rmSync(projDir, { recursive: true, force: true }); + } + }); + + it('#16 does NOT block yarn install for a clean yarn.lock (ansi-colors + unrelated version "1.4.1")', async () => { + // Old matcher: unanchored `colors@` matched inside `ansi-colors@`, and the + // compromised colors version "1.4.1" matched a DIFFERENT entry's version + // line — two unassociated whole-file substrings caused a spurious BLOCK. + const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-')); + writeFileSync(join(projDir, 'yarn.lock'), [ + '# yarn lockfile v1', + '', + 'ansi-colors@^4.1.1:', + ' version "4.1.3"', + ' resolved "https://registry.yarnpkg.com/ansi-colors/-/ansi-colors-4.1.3.tgz"', + '', + 'harmless-pkg@^1.4.0:', + ' version "1.4.1"', + ' resolved "https://registry.yarnpkg.com/harmless-pkg/-/harmless-pkg-1.4.1.tgz"', + '', + ].join('\n')); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), { + CLAUDE_WORKING_DIR: projDir, + }); + assert.equal(result.code, 0, `Expected exit 0 (no block), got ${result.code}. stderr: ${result.stderr}`); + } finally { + rmSync(projDir, { recursive: true, force: true }); + } + }); + + it('#17 blocks yarn install when a Berry yarn.lock pins compromised event-stream (version: x format)', async () => { + const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-')); + writeFileSync(join(projDir, 'yarn.lock'), [ + '# This file is generated by running "yarn install" inside your project.', + '', + '__metadata:', + ' version: 8', + '', + '"event-stream@npm:^3.3.6":', + ' version: 3.3.6', + ' resolution: "event-stream@npm:3.3.6"', + '', + ].join('\n')); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), { + CLAUDE_WORKING_DIR: projDir, + }); + assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`); + assert.match(result.stderr, /event-stream@3\.3\.6/); + assert.match(result.stderr, /yarn\.lock/); + } finally { + rmSync(projDir, { recursive: true, force: true }); + } + }); + + it('#16/#17 still blocks yarn install for a Classic yarn.lock pinning compromised event-stream', async () => { + const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-')); + writeFileSync(join(projDir, 'yarn.lock'), [ + '# yarn lockfile v1', + '', + 'event-stream@^3.3.5:', + ' version "3.3.6"', + ' resolved "https://registry.yarnpkg.com/event-stream/-/event-stream-3.3.6.tgz"', + '', + ].join('\n')); + try { + const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), { + CLAUDE_WORKING_DIR: projDir, + }); + assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`); + assert.match(result.stderr, /event-stream@3\.3\.6/); + assert.match(result.stderr, /yarn\.lock/); + } finally { + rmSync(projDir, { recursive: true, force: true }); + } + }); +}); diff --git a/tests/scanners/dep.test.mjs b/tests/scanners/dep.test.mjs index 7353321..152730f 100644 --- a/tests/scanners/dep.test.mjs +++ b/tests/scanners/dep.test.mjs @@ -9,8 +9,10 @@ import { describe, it, beforeEach } from 'node:test'; import assert from 'node:assert/strict'; -import { resolve } from 'node:path'; +import { join, resolve } from 'node:path'; import { fileURLToPath } from 'node:url'; +import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs'; +import { tmpdir } from 'node:os'; import { resetCounter } from '../../scanners/lib/output.mjs'; import { scan } from '../../scanners/dep-auditor.mjs'; @@ -129,3 +131,93 @@ describe('dep-auditor integration', () => { assert.equal(result.findings[0].id, 'DS-DEP-001'); }); }); + +// --------------------------------------------------------------------------- +// pip-audit invocation (v7.8.3 #18/#19) +// The scanner must invoke the real `pip-audit` binary (not the nonexistent +// `pip audit` subcommand), and it must audit the TARGET's requirements.txt +// (-r /requirements.txt) — never the scanner host's environment. +// Both binaries are shimmed on PATH so the tests are deterministic + offline: +// pip-audit — records its argv and emits one fixed vulnerability +// pip — emits a "host environment" vulnerability the scanner must +// never surface (proves host-env audits are gone) +// --------------------------------------------------------------------------- + +function makePipShims(shimDir, argvLog) { + writeFileSync(join(shimDir, 'pip-audit'), [ + '#!/bin/sh', + `echo "$@" > "${argvLog}"`, + `echo '{"dependencies":[{"name":"requests","version":"2.0.0","vulns":[{"id":"PYSEC-TEST-0001","fix_versions":["2.31.0"],"description":"shim vulnerability"}]}]}'`, + '', + ].join('\n'), { mode: 0o755 }); + writeFileSync(join(shimDir, 'pip'), [ + '#!/bin/sh', + `echo '{"dependencies":[{"name":"host-only-pkg","version":"1.0.0","vulns":[{"id":"PYSEC-HOST-9999","fix_versions":[],"description":"host environment"}]}]}'`, + '', + ].join('\n'), { mode: 0o755 }); +} + +describe('dep-auditor pip-audit invocation', () => { + beforeEach(() => { + resetCounter(); + }); + + it('invokes pip-audit with -r /requirements.txt (not "pip audit" against the host)', async () => { + const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-')); + const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-')); + const argvLog = join(shimDir, 'argv.log'); + makePipShims(shimDir, argvLog); + writeFileSync(join(target, 'requirements.txt'), 'requests==2.0.0\n'); + + const oldPath = process.env.PATH; + process.env.PATH = `${shimDir}:${oldPath}`; + try { + const result = await scan(target, { files: [] }); + assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`); + + const shimFinding = result.findings.find(f => f.title.includes('PYSEC-TEST-0001')); + assert.ok( + shimFinding, + `Expected a finding from the pip-audit shim (PYSEC-TEST-0001). ` + + `Findings: ${result.findings.map(f => f.title).join('; ')}` + ); + const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999')); + assert.equal(hostFinding, undefined, 'Host-environment audit result must never be surfaced'); + + assert.ok(existsSync(argvLog), 'pip-audit shim was never invoked'); + const argv = readFileSync(argvLog, 'utf8'); + assert.match(argv, /-r/, `pip-audit must receive -r, got argv: ${argv}`); + assert.ok( + argv.includes(join(target, 'requirements.txt')), + `pip-audit must audit the target requirements.txt, got argv: ${argv}` + ); + } finally { + process.env.PATH = oldPath; + rmSync(shimDir, { recursive: true, force: true }); + rmSync(target, { recursive: true, force: true }); + } + }); + + it('skips the CVE audit cleanly when the target has pyproject.toml but no requirements.txt', async () => { + const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-')); + const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-')); + const argvLog = join(shimDir, 'argv.log'); + makePipShims(shimDir, argvLog); + writeFileSync(join(target, 'pyproject.toml'), '[project]\nname = "sample"\n'); + + const oldPath = process.env.PATH; + process.env.PATH = `${shimDir}:${oldPath}`; + try { + const result = await scan(target, { files: [] }); + assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`); + + const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999')); + assert.equal(hostFinding, undefined, 'Without requirements.txt the host env must not be audited'); + assert.equal(existsSync(argvLog), false, 'pip-audit must not run when requirements.txt is absent'); + } finally { + process.env.PATH = oldPath; + rmSync(shimDir, { recursive: true, force: true }); + rmSync(target, { recursive: true, force: true }); + } + }); +});