Add security hardening to prevent command injection in package manager commands

AbanoubGhadban · claude · AbanoubGhadban · commit a6b36360dd58 · 2025-10-27T14:09:55.000+03:00
This commit adds defense-in-depth protection against potential command injection in package manager command generation methods. Changes: - Add Shellwords escaping for all package names and versions in generated commands - Add input validation for package names following npm naming standards - Add input validation for version strings to allow only safe semver patterns - Validate inputs before command generation in both install and remove methods Security benefits: - Multiple layers of protection (validation + escaping) - Clear error messages for invalid inputs - Future-proof against usage pattern changes All existing tests pass with these security enhancements. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/utils.rb b/lib/react_on_rails/utils.rb
@@ -5,6 +5,7 @@
 require "rainbow"
 require "active_support"
 require "active_support/core_ext/string"
+require "shellwords"
 
 # rubocop:disable Metrics/ModuleLength
 module ReactOnRails
@@ -293,6 +294,42 @@ def self.detect_package_manager
       manager || :yarn # Default to yarn if no detection succeeds
     end
 
+    # Validates package_name input to prevent command injection
+    #
+    # @param package_name [String] The package name to validate
+    # @raise [ReactOnRails::Error] if package_name contains potentially unsafe characters
+    private_class_method def self.validate_package_name!(package_name)
+      raise ReactOnRails::Error, "package_name cannot be nil" if package_name.nil?
+      raise ReactOnRails::Error, "package_name cannot be empty" if package_name.to_s.strip.empty?
+
+      # Allow valid npm package names: alphanumeric, hyphens, underscores, dots, slashes (for scoped packages)
+      # See: https://github.com/npm/validate-npm-package-name
+      return if package_name.match?(%r{\A[@a-z0-9][a-z0-9._/-]*\z}i)
+
+      raise ReactOnRails::Error, "Invalid package name: #{package_name.inspect}. " \
+                                 "Package names must contain only alphanumeric characters, " \
+                                 "hyphens, underscores, dots, and slashes (for scoped packages)."
+    end
+
+    # Validates package_name and version inputs to prevent command injection
+    #
+    # @param package_name [String] The package name to validate
+    # @param version [String] The version to validate
+    # @raise [ReactOnRails::Error] if inputs contain potentially unsafe characters
+    private_class_method def self.validate_package_command_inputs!(package_name, version)
+      validate_package_name!(package_name)
+
+      raise ReactOnRails::Error, "version cannot be nil" if version.nil?
+      raise ReactOnRails::Error, "version cannot be empty" if version.to_s.strip.empty?
+
+      # Allow valid semver versions and common npm version patterns
+      # This allows: 1.2.3, 1.2.3-beta.1, 1.2.3-alpha, etc.
+      return if version.match?(/\A[a-z0-9][a-z0-9._-]*\z/i)
+
+      raise ReactOnRails::Error, "Invalid version: #{version.inspect}. " \
+                                 "Versions must contain only alphanumeric characters, dots, hyphens, and underscores."
+    end
+
     private_class_method def self.detect_package_manager_from_package_json
       package_json_path = File.join(Rails.root, ReactOnRails.configuration.node_modules_location, "package.json")
       return nil unless File.exist?(package_json_path)
@@ -325,17 +362,21 @@ def self.detect_package_manager
     # @param version [String] The exact version to install
     # @return [String] The command to run (e.g., "yarn add react-on-rails@16.0.0 --exact")
     def self.package_manager_install_exact_command(package_name, version)
+      validate_package_command_inputs!(package_name, version)
+
       manager = detect_package_manager
+      # Escape shell arguments to prevent command injection
+      safe_package = Shellwords.escape("#{package_name}@#{version}")
 
       case manager
       when :pnpm
-        "pnpm add #{package_name}@#{version} --save-exact"
+        "pnpm add #{safe_package} --save-exact"
       when :bun
-        "bun add #{package_name}@#{version} --exact"
+        "bun add #{safe_package} --exact"
       when :npm
-        "npm install #{package_name}@#{version} --save-exact"
+        "npm install #{safe_package} --save-exact"
       else # :yarn or unknown, default to yarn
-        "yarn add #{package_name}@#{version} --exact"
+        "yarn add #{safe_package} --exact"
       end
     end
 
@@ -344,17 +385,21 @@ def self.package_manager_install_exact_command(package_name, version)
     # @param package_name [String] The name of the package to remove
     # @return [String] The command to run (e.g., "yarn remove react-on-rails")
     def self.package_manager_remove_command(package_name)
+      validate_package_name!(package_name)
+
       manager = detect_package_manager
+      # Escape shell arguments to prevent command injection
+      safe_package = Shellwords.escape(package_name)
 
       case manager
       when :pnpm
-        "pnpm remove #{package_name}"
+        "pnpm remove #{safe_package}"
       when :bun
-        "bun remove #{package_name}"
+        "bun remove #{safe_package}"
       when :npm
-        "npm uninstall #{package_name}"
+        "npm uninstall #{safe_package}"
       else # :yarn or unknown, default to yarn
-        "yarn remove #{package_name}"
+        "yarn remove #{safe_package}"
       end
     end
 
