From d39d506b096fbabed20825e91eecad0dc1df275d Mon Sep 17 00:00:00 2001
From: Justin Gordon <justin@shakacode.com>
Date: Tue, 4 Nov 2025 17:02:03 -1000
Subject: [PATCH] Fix unsafe system calls to use array form in
 pack_generator.rb
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update system calls in lib/react_on_rails/dev/pack_generator.rb to use
the safer array form instead of string form for better security and
cross-platform compatibility.

Changes:
- Convert string-based system calls to array form
- Update output redirection to use File::NULL with out:/err: options
- Update corresponding RSpec tests to match new system call signatures

This prevents potential shell injection issues and improves
cross-platform compatibility.

Fixes #1910

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 lib/react_on_rails/dev/pack_generator.rb       |  7 +++++--
 spec/react_on_rails/dev/pack_generator_spec.rb | 15 +++++++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/react_on_rails/dev/pack_generator.rb b/lib/react_on_rails/dev/pack_generator.rb
index 907f3595bc..2d58f4a38b 100644
--- a/lib/react_on_rails/dev/pack_generator.rb
+++ b/lib/react_on_rails/dev/pack_generator.rb
@@ -110,9 +110,12 @@ def handle_rake_error(error, _silent)
 
         def run_via_bundle_exec(silent: false)
           if silent
-            system "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
+            system(
+              "bundle", "exec", "rake", "react_on_rails:generate_packs",
+              out: File::NULL, err: File::NULL
+            )
           else
-            system "bundle exec rake react_on_rails:generate_packs"
+            system("bundle", "exec", "rake", "react_on_rails:generate_packs")
           end
         end
       end
diff --git a/spec/react_on_rails/dev/pack_generator_spec.rb b/spec/react_on_rails/dev/pack_generator_spec.rb
index a1bb42a20b..6874cbe9f3 100644
--- a/spec/react_on_rails/dev/pack_generator_spec.rb
+++ b/spec/react_on_rails/dev/pack_generator_spec.rb
@@ -6,24 +6,27 @@
 RSpec.describe ReactOnRails::Dev::PackGenerator do
   describe ".generate" do
     it "runs pack generation successfully in verbose mode" do
-      command = "bundle exec rake react_on_rails:generate_packs"
-      allow(described_class).to receive(:system).with(command).and_return(true)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs")
+        .and_return(true)
 
       expect { described_class.generate(verbose: true) }
         .to output(/📦 Generating React on Rails packs.../).to_stdout_from_any_process
     end
 
     it "runs pack generation successfully in quiet mode" do
-      command = "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
-      allow(described_class).to receive(:system).with(command).and_return(true)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs", out: File::NULL, err: File::NULL)
+        .and_return(true)
 
       expect { described_class.generate(verbose: false) }
         .to output(/📦 Generating packs\.\.\. ✅/).to_stdout_from_any_process
     end
 
     it "exits with error when pack generation fails" do
-      command = "bundle exec rake react_on_rails:generate_packs > /dev/null 2>&1"
-      allow(described_class).to receive(:system).with(command).and_return(false)
+      allow(described_class).to receive(:system)
+        .with("bundle", "exec", "rake", "react_on_rails:generate_packs", out: File::NULL, err: File::NULL)
+        .and_return(false)
 
       expect { described_class.generate(verbose: false) }.to raise_error(SystemExit)
     end