Skip to content

Commit 0e33ff1

Browse files
justin808claude
justin808
and
claude
committed
Fix critical security and functionality issues in switch-bundler
## Critical Fixes 1. **Add missing require "json"** - File: bin/switch-bundler - Issue: Script uses JSON.parse without requiring json library - Fix: Added `require "json"` at the top 2. **Fix command injection vulnerability** - File: bin/switch-bundler (lines 100-122) - Issue: Using system() with string interpolation is vulnerable - Fix: Changed to array form for all system() calls - Before: `system("yarn add #{deps[:dependencies].join(' ')}")` - After: `system("yarn", "add", *deps[:dependencies])` 3. **YAML formatting preserved** - File: base_generator.rb - Already using direct string manipulation (not YAML.dump) - Preserves formatting and anchors correctly ## Security Impact The command injection fix prevents potential security vulnerabilities where malicious package names could execute arbitrary commands. Array form ensures arguments are properly escaped. ## Testing - All 19 rspack specs pass (0 failures) - RuboCop checks pass with zero offenses - Functionality verified 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
1 parent dff904b commit 0e33ff1

File tree

1 file changed

+24
-22
lines changed

1 file changed

+24
-22
lines changed

lib/generators/react_on_rails/templates/base/base/bin/switch-bundler

Lines changed: 24 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33

44
require "fileutils"
55
require "yaml"
6+
require "json"
67

78
# Script to switch between webpack and rspack bundlers
89
class BundlerSwitcher
@@ -96,28 +97,29 @@ class BundlerSwitcher
9697
# Detect package manager
9798
package_manager = detect_package_manager
9899

99-
# Install dependencies
100-
install_cmd = case package_manager
101-
when "yarn"
102-
"yarn add #{deps[:dependencies].join(' ')}"
103-
when "pnpm"
104-
"pnpm add #{deps[:dependencies].join(' ')}"
105-
else
106-
"npm install #{deps[:dependencies].join(' ')}"
107-
end
108-
109-
# Install dev dependencies
110-
install_dev_cmd = case package_manager
111-
when "yarn"
112-
"yarn add -D #{deps[:dev_dependencies].join(' ')}"
113-
when "pnpm"
114-
"pnpm add -D #{deps[:dev_dependencies].join(' ')}"
115-
else
116-
"npm install --save-dev #{deps[:dev_dependencies].join(' ')}"
117-
end
118-
119-
system(install_cmd) || abort("❌ Failed to install dependencies")
120-
system(install_dev_cmd) || abort("❌ Failed to install dev dependencies")
100+
# Install dependencies using array form to prevent command injection
101+
success = case package_manager
102+
when "yarn"
103+
system("yarn", "add", *deps[:dependencies])
104+
when "pnpm"
105+
system("pnpm", "add", *deps[:dependencies])
106+
else
107+
system("npm", "install", *deps[:dependencies])
108+
end
109+
110+
abort("❌ Failed to install dependencies") unless success
111+
112+
# Install dev dependencies using array form to prevent command injection
113+
success = case package_manager
114+
when "yarn"
115+
system("yarn", "add", "-D", *deps[:dev_dependencies])
116+
when "pnpm"
117+
system("pnpm", "add", "-D", *deps[:dev_dependencies])
118+
else
119+
system("npm", "install", "--save-dev", *deps[:dev_dependencies])
120+
end
121+
122+
abort("❌ Failed to install dev dependencies") unless success
121123

122124
puts "✅ Installed #{@target_bundler} dependencies"
123125
end

0 commit comments

Comments
 (0)