Add laravel-toolkit extension

[JsprHpprtz]

Description

Screencast

Checklist

• I read the extension guidelines
• I read the documentation about publishing
• I ran npm run build and tested this distribution build in Raycast
• I checked that files in the assets folder are used by the extension itself
• I checked that assets used by the README are placed outside of the metadata folder

[raycastbot]

Congratulations on your new Raycast extension! 🚀

Due to our current reduced availability, the initial review may take up to 10-15 business days.

Once the PR is approved and merged, the extension will be available on our Store.

[greptile-apps]

Greptile Summary

This PR adds a comprehensive Laravel Toolkit extension with project management, documentation search, and development tools. The extension provides useful features including Laravel docs search with version switching, project scaffolding wizard, Artisan command reference, code snippets, and development tool management.

Major Changes:

• Added 11 commands for Laravel development workflow
• Project creation wizard with Breeze/Jetstream support
• Documentation browser with favorites and recent pages
• Development tools manager for PHP, Composer, NPM
• Custom package presets system
• Route explorer and log viewer commands

Critical Security Issues Found:

• Multiple command injection vulnerabilities in create-project.tsx, manage-projects.tsx, manage-tools.tsx, and utils/editor.ts
• Inadequate input sanitization before shell command execution
• Remote code execution risk in Composer installer download
• User-controlled commands executed without validation

Configuration:

• Proper Prettier configuration (printWidth: 120, singleQuote: false)
• CHANGELOG follows required format with {PR_MERGE_DATE} placeholder
• Metadata screenshots present
• Windows-only platform restriction (verify if intentional)

Confidence Score: 1/5

• This PR has critical command injection vulnerabilities that must be fixed before merging
• Score reflects multiple critical security vulnerabilities across the codebase. The extension executes shell commands with insufficient input sanitization in create-project.tsx (lines 238-239, 371), manage-projects.tsx (line 55), manage-tools.tsx (lines 192-193, 201-203), and utils/editor.ts (lines 15-17). These allow command injection via path names, version strings, and custom commands. Additionally, the Composer installer downloads and executes remote code without verification. These security issues must be resolved before the extension can be safely published.
• extensions/laravel-toolkit/src/create-project.tsx, extensions/laravel-toolkit/src/manage-tools.tsx, extensions/laravel-toolkit/src/manage-projects.tsx, and extensions/laravel-toolkit/src/utils/editor.ts all require immediate security fixes for command injection vulnerabilities

Important Files Changed

Filename	Overview
extensions/laravel-toolkit/package.json	Configuration looks good with proper Prettier settings and preferences. Windows-only platform restriction needs verification.
extensions/laravel-toolkit/src/create-project.tsx	Multiple critical command injection vulnerabilities in directory/project name handling and Composer installer execution.
extensions/laravel-toolkit/src/manage-projects.tsx	Command injection vulnerability in PowerShell terminal opening. Path sanitization insufficient for shell metacharacters.
extensions/laravel-toolkit/src/manage-tools.tsx	Critical security issues: unvalidated command execution in uninstall command TextArea and version parameter injection.
extensions/laravel-toolkit/src/utils/editor.ts	Inadequate shell escaping in editor path execution allows command injection via special characters.

[greptile-apps]

Additional Comments (5)

1. extensions/laravel-toolkit/CHANGELOG.md, line 3 (link)

   syntax: The changelog entry uses a hardcoded date instead of the {PR_MERGE_DATE} placeholder. According to the custom rules, changelog entries must use {PR_MERGE_DATE} placeholder in titles to ensure merge dates are set automatically during release.

   Context Used: Rule from dashboard - What: Changelog entries must use {PR_MERGE_DATE} placeholder in titles, be placed at the top of th... (source)

2. extensions/laravel-toolkit/src/utils/editor.ts, line 22 (link)

   logic: The exec call doesn't have error handling and uses callback style. If editorApplication.path or path contain shell metacharacters beyond what quotes protect, this could lead to command injection issues.

3. extensions/laravel-toolkit/src/manage-projects.tsx, line 55-56 (link)

   logic: Hardcoded Windows-specific PowerShell command won't work on macOS (which is listed as a supported platform in package.json). Need platform detection.

4. extensions/laravel-toolkit/src/create-project.tsx, line 21-23 (link)

   syntax: Manually defined Preferences interface violates the custom rule. The Preferences type is auto-generated in raycast-env.d.ts when the extension runs and should not be manually defined to avoid sync issues.

   Context Used: Rule from dashboard - What: Don't manually define Preferences for getPreferenceValues() or commends Argument interfa... (source)

5. extensions/laravel-toolkit/src/utils/editor.ts, line 4-6 (link)

   syntax: Manually defined EditorPreferences interface violates the custom rule. The Preferences type is auto-generated in raycast-env.d.ts and should not be manually defined.

   Context Used: Rule from dashboard - What: Don't manually define Preferences for getPreferenceValues() or commends Argument interfa... (source)

_{25 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (7)

1. extensions/laravel-toolkit/src/create-project.tsx, line 239-266 (link)

   logic: Command injection vulnerability: unsanitized projectName and directory are directly interpolated into shell commands without proper escaping or validation. If a user enters a project name or directory path containing special shell characters (e.g., ; rm -rf /, backticks, or $()), it could execute arbitrary commands.

2. extensions/laravel-toolkit/src/manage-projects.tsx, line 55 (link)

   logic: Command injection vulnerability: projectPath is not escaped before being interpolated into the PowerShell command. A malicious project path could execute arbitrary commands.

       const command = `start powershell -NoExit -Command "Set-Location '${projectPath.replace(/'/g, "''")}'"`;
   
   
   

3. extensions/laravel-toolkit/src/run-artisan.tsx, line 82 (link)

   logic: Command injection vulnerability: the command parameter is directly interpolated without sanitization. While command comes from a known list of Artisan commands, it's still passed unsafely. Additionally, currentProject.path should be escaped.

4. extensions/laravel-toolkit/src/utils/editor.ts, line 15 (link)

   logic: Command injection vulnerability: both editorApplication.path and path are interpolated without escaping. A malicious path could execute arbitrary code.

5. extensions/laravel-toolkit/src/manage-custom-packages.tsx, line 154 (link)

   syntax: Typo in dropdown item title

6. extensions/laravel-toolkit/src/utils/project-details.ts, line 95-103 (link)

   style: Duplicate code: composer.json is already read and parsed at lines 47-78, so this entire block at lines 95-103 is redundant and should be removed.

7. extensions/laravel-toolkit/src/snippets.tsx, line 14-17 (link)

   style: Manual Preferences interface definition should not be defined manually. This interface is auto-generated in raycast-env.d.ts and should be imported from the generated types instead.

   Context Used: Rule from dashboard - What: Don't manually define Preferences for getPreferenceValues() or commends Argument interfa... (source)

_{25 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (7)

1. extensions/laravel-toolkit/src/create-project.tsx, line 238-239 (link)

   logic: Command injection vulnerability - sanitizedDirectory only escapes double quotes but doesn't prevent command injection via special characters like ; && || $().

2. extensions/laravel-toolkit/src/create-project.tsx, line 371 (link)

   logic: Executing untrusted remote script. This downloads and executes code from getcomposer.org without verification, creating a remote code execution risk.

3. extensions/laravel-toolkit/src/manage-projects.tsx, line 55 (link)

   logic: Command injection vulnerability via path. Single quote escaping with '' is correct for PowerShell but special chars like ; can still inject commands.

4. extensions/laravel-toolkit/src/utils/editor.ts, line 15-17 (link)

   logic: Inadequate sanitization for shell execution. Only escaping quotes doesn't prevent command injection via shell metacharacters.

5. extensions/laravel-toolkit/src/manage-tools.tsx, line 192-193 (link)

   logic: Command injection via user input. The uninstallCommand TextArea allows arbitrary command execution without sanitization.

   Add validation to prevent command injection:

   // Before executing, validate the command doesn't contain dangerous patterns
   if (/[;&|$()<>`]/.test(uninstallCommand)) {
     throw new Error("Command contains potentially unsafe characters");
   }
   

6. extensions/laravel-toolkit/src/manage-tools.tsx, line 201-203 (link)

   logic: Command injection via version parameter. User-controlled {version} in installVersionCmd isn't validated before shell execution.

7. extensions/laravel-toolkit/package.json, line 180-182 (link)

   style: Verify Windows-only restriction is intentional. Extension targets Windows but Laravel development is common on macOS (Herd, Valet). Check if commands work cross-platform.

_{25 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}