Fix critical security and functionality issues in switch-bundler

justin808 · claude · justin808 · commit 0e33ff11caea · 2025-11-02T16:49:03.000-10:00
## Critical Fixes 1. **Add missing require "json"** - File: bin/switch-bundler - Issue: Script uses JSON.parse without requiring json library - Fix: Added `require "json"` at the top 2. **Fix command injection vulnerability** - File: bin/switch-bundler (lines 100-122) - Issue: Using system() with string interpolation is vulnerable - Fix: Changed to array form for all system() calls - Before: `system("yarn add #{deps[:dependencies].join(' ')}")` - After: `system("yarn", "add", *deps[:dependencies])` 3. **YAML formatting preserved** - File: base_generator.rb - Already using direct string manipulation (not YAML.dump) - Preserves formatting and anchors correctly ## Security Impact The command injection fix prevents potential security vulnerabilities where malicious package names could execute arbitrary commands. Array form ensures arguments are properly escaped. ## Testing - All 19 rspack specs pass (0 failures) - RuboCop checks pass with zero offenses - Functionality verified 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/generators/react_on_rails/templates/base/base/bin/switch-bundler b/lib/generators/react_on_rails/templates/base/base/bin/switch-bundler
@@ -3,6 +3,7 @@
 
 require "fileutils"
 require "yaml"
+require "json"
 
 # Script to switch between webpack and rspack bundlers
 class BundlerSwitcher
@@ -96,28 +97,29 @@ class BundlerSwitcher
     # Detect package manager
     package_manager = detect_package_manager
 
-    # Install dependencies
-    install_cmd = case package_manager
-                  when "yarn"
-                    "yarn add #{deps[:dependencies].join(' ')}"
-                  when "pnpm"
-                    "pnpm add #{deps[:dependencies].join(' ')}"
-                  else
-                    "npm install #{deps[:dependencies].join(' ')}"
-                  end
-
-    # Install dev dependencies
-    install_dev_cmd = case package_manager
-                      when "yarn"
-                        "yarn add -D #{deps[:dev_dependencies].join(' ')}"
-                      when "pnpm"
-                        "pnpm add -D #{deps[:dev_dependencies].join(' ')}"
-                      else
-                        "npm install --save-dev #{deps[:dev_dependencies].join(' ')}"
-                      end
-
-    system(install_cmd) || abort("❌ Failed to install dependencies")
-    system(install_dev_cmd) || abort("❌ Failed to install dev dependencies")
+    # Install dependencies using array form to prevent command injection
+    success = case package_manager
+              when "yarn"
+                system("yarn", "add", *deps[:dependencies])
+              when "pnpm"
+                system("pnpm", "add", *deps[:dependencies])
+              else
+                system("npm", "install", *deps[:dependencies])
+              end
+
+    abort("❌ Failed to install dependencies") unless success
+
+    # Install dev dependencies using array form to prevent command injection
+    success = case package_manager
+              when "yarn"
+                system("yarn", "add", "-D", *deps[:dev_dependencies])
+              when "pnpm"
+                system("pnpm", "add", "-D", *deps[:dev_dependencies])
+              else
+                system("npm", "install", "--save-dev", *deps[:dev_dependencies])
+              end
+
+    abort("❌ Failed to install dev dependencies") unless success
 
     puts "✅ Installed #{@target_bundler} dependencies"
   end
