Implement enforce_private_server_bundles security feature and add comprehensive test

justin808 · claude · justin808 · commit 1f6a709fa523 · 2025-09-22T14:58:53.000-10:00
Add security enforcement logic: - When enforce_private_server_bundles is enabled, server bundles skip public path fallbacks - Server bundles return private paths even if they don't exist (preventing public fallback) - Add server_bundle_private_path helper that respects server_bundle_output_path configuration - Add enforce_private_server_bundles? helper for clean configuration access Add comprehensive test coverage: - Test that enforcement prevents fallback to public paths when enabled - Mock File.exist? to verify private path is returned even when public path exists - Update mock_bundle_configs to include enforce_private_server_bundles default (false) - All 54 tests pass, including new enforcement test Security benefit: - Prevents accidental serving of server bundles from public directories - Ensures server-side code remains private even when deployment scripts fail - Opt-in feature (defaults to false) for backwards compatibility 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/utils.rb b/lib/react_on_rails/utils.rb
@@ -108,6 +108,9 @@ def self.bundle_js_file_path(bundle_name)
     end
 
     private_class_method def self.handle_missing_manifest_entry(bundle_name)
+      # For server bundles with enforcement enabled, skip public path fallbacks
+      return server_bundle_private_path(bundle_name) if server_bundle?(bundle_name) && enforce_private_server_bundles?
+
       # When manifest lookup fails, try multiple fallback locations:
       # Build fallback locations conditionally based on packer availability
       fallback_locations = []
@@ -141,6 +144,17 @@ def self.bundle_js_file_path(bundle_name)
       bundle_name == config.rsc_bundle_js_file
     end
 
+    private_class_method def self.enforce_private_server_bundles?
+      ReactOnRails.configuration.enforce_private_server_bundles
+    end
+
+    private_class_method def self.server_bundle_private_path(bundle_name)
+      config = ReactOnRails.configuration
+      preferred_dir = config.server_bundle_output_path.presence || "ssr-generated"
+      root_path = Rails.root || "."
+      File.expand_path(File.join(root_path, preferred_dir, bundle_name))
+    end
+
     def self.server_bundle_js_file_path
       return @server_bundle_path if @server_bundle_path && !Rails.env.development?
 
diff --git a/spec/react_on_rails/utils_spec.rb b/spec/react_on_rails/utils_spec.rb
@@ -78,6 +78,8 @@ def mock_bundle_configs(server_bundle_name: random_bundle_name, rsc_bundle_name:
         .and_return(rsc_bundle_name)
       allow(ReactOnRails).to receive_message_chain("configuration.server_bundle_output_path")
         .and_return("ssr-generated")
+      allow(ReactOnRails).to receive_message_chain("configuration.enforce_private_server_bundles")
+        .and_return(false)
     end
 
     def mock_dev_server_running
@@ -168,6 +170,33 @@ def mock_dev_server_running
                 expect(result).to eq(File.expand_path(env_specific_path))
               end
             end
+
+            context "with enforce_private_server_bundles enabled" do
+              before do
+                mock_missing_manifest_entry("server-bundle.js")
+                allow(ReactOnRails).to receive_message_chain("configuration.server_bundle_js_file")
+                  .and_return("server-bundle.js")
+                allow(ReactOnRails).to receive_message_chain("configuration.server_bundle_output_path")
+                  .and_return("ssr-generated")
+                allow(ReactOnRails).to receive_message_chain("configuration.enforce_private_server_bundles")
+                  .and_return(true)
+              end
+
+              it "returns private path and does not fall back to public when enforcement is enabled" do
+                ssr_generated_path = File.expand_path(File.join(Rails.root.to_s, "ssr-generated", "server-bundle.js"))
+                public_packs_path = File.expand_path(File.join("public", "packs", "server-bundle.js"))
+
+                # Mock File.exist? so SSR-generated path returns false but public path returns true
+                allow(File).to receive(:exist?).and_call_original
+                allow(File).to receive(:exist?).with(ssr_generated_path).and_return(false)
+                allow(File).to receive(:exist?).with(public_packs_path).and_return(true)
+
+                result = described_class.bundle_js_file_path("server-bundle.js")
+
+                # Should return the private path even though it doesn't exist, not fall back to public
+                expect(result).to eq(ssr_generated_path)
+              end
+            end
           end
         end
 
