Fix unsafe system calls to use array form in pack_generator.rb (#1914)

justin808 · claude · web-flow · commit 517f1579ab00 · 2025-11-04T17:35:34.000-10:00
Update system calls in lib/react_on_rails/dev/pack_generator.rb to use the safer array form instead of string form for better security and cross-platform compatibility. Changes: - Convert string-based system calls to array form - Update output redirection to use File::NULL with out:/err: options - Update corresponding RSpec tests to match new system call signatures This prevents potential shell injection issues and improves cross-platform compatibility. Fixes #1910 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/dev/pack_generator.rb b/lib/react_on_rails/dev/pack_generator.rb
@@ -110,9 +110,12 @@ def handle_rake_error(error, _silent)
 
         def run_via_bundle_exec(silent: false)
           if silent
-            system "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
+            system(
+              "bundle", "exec", "rake", "react_on_rails:generate_packs",
+              out: File::NULL, err: File::NULL
+            )
           else
-            system "bundle exec rake react_on_rails:generate_packs"
+            system("bundle", "exec", "rake", "react_on_rails:generate_packs")
           end
         end
       end
diff --git a/spec/react_on_rails/dev/pack_generator_spec.rb b/spec/react_on_rails/dev/pack_generator_spec.rb
@@ -6,24 +6,27 @@
 RSpec.describe ReactOnRails::Dev::PackGenerator do
   describe ".generate" do
     it "runs pack generation successfully in verbose mode" do
-      command = "bundle exec rake react_on_rails:generate_packs"
-      allow(described_class).to receive(:system).with(command).and_return(true)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs")
+        .and_return(true)
 
       expect { described_class.generate(verbose: true) }
         .to output(/📦 Generating React on Rails packs.../).to_stdout_from_any_process
     end
 
     it "runs pack generation successfully in quiet mode" do
-      command = "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
-      allow(described_class).to receive(:system).with(command).and_return(true)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs", out: File::NULL, err: File::NULL)
+        .and_return(true)
 
       expect { described_class.generate(verbose: false) }
         .to output(/📦 Generating packs\.\.\. ✅/).to_stdout_from_any_process
     end
 
     it "exits with error when pack generation fails" do
-      command = "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
-      allow(described_class).to receive(:system).with(command).and_return(false)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs", out: File::NULL, err: File::NULL)
+        .and_return(false)
 
       expect { described_class.generate(verbose: false) }.to raise_error(SystemExit)
     end
