Fix shell injection vulnerability in server_manager.rb

justin808 · claude · justin808 · commit 4eec005b57cb · 2025-09-17T20:13:11.000-10:00
Security improvements: - Replace string interpolation with env hash and argv array for Open3.capture3 - Add rails_env validation with allowlist pattern (/^[a-z0-9_]+$/i) - Update error handling to use safe command display - Add tests for rails_env validation and custom environment usage - Prevent arbitrary shell command execution via --rails-env parameter 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/dev/server_manager.rb b/lib/react_on_rails/dev/server_manager.rb
@@ -268,9 +268,18 @@ def run_production_like(_verbose: false, route: nil, rails_env: nil)
           )
 
           # Precompile assets with production webpack optimizations (includes pack generation automatically)
-          env_vars = ["NODE_ENV=production"]
-          env_vars << "RAILS_ENV=#{rails_env}" if rails_env
-          command = "#{env_vars.join(' ')} bundle exec rails assets:precompile"
+          env = { "NODE_ENV" => "production" }
+
+          # Validate and sanitize rails_env to prevent shell injection
+          if rails_env
+            unless rails_env.match?(/\A[a-z0-9_]+\z/i)
+              puts "❌ Invalid rails_env: '#{rails_env}'. Must contain only letters, numbers, and underscores."
+              exit 1
+            end
+            env["RAILS_ENV"] = rails_env
+          end
+
+          argv = ["bundle", "exec", "rails", "assets:precompile"]
 
           puts "🔨 Precompiling assets with production webpack optimizations..."
           puts ""
@@ -288,12 +297,14 @@ def run_production_like(_verbose: false, route: nil, rails_env: nil)
             puts "   • Gets production webpack bundles without production Rails complexity"
           end
           puts ""
-          puts "#{Rainbow('💻 Running:').blue} #{command}"
+
+          env_display = env.map { |k, v| "#{k}=#{v}" }.join(" ")
+          puts "#{Rainbow('💻 Running:').blue} #{env_display} #{argv.join(' ')}"
           puts ""
 
           # Capture both stdout and stderr
           require "open3"
-          stdout, stderr, status = Open3.capture3(command)
+          stdout, stderr, status = Open3.capture3(env, *argv)
 
           if status.success?
             puts "✅ Assets precompiled successfully"
@@ -317,11 +328,12 @@ def run_production_like(_verbose: false, route: nil, rails_env: nil)
             end
 
             puts Rainbow("🛠️  To debug this issue:").yellow.bold
+            command_display = "#{env_display} #{argv.join(' ')}"
             puts "#{Rainbow('1.').cyan} #{Rainbow('Run the command separately to see detailed output:').white}"
-            puts "   #{Rainbow(command).cyan}"
+            puts "   #{Rainbow(command_display).cyan}"
             puts ""
             puts "#{Rainbow('2.').cyan} #{Rainbow('Add --trace for full stack trace:').white}"
-            puts "   #{Rainbow("#{command} --trace").cyan}"
+            puts "   #{Rainbow("#{command_display} --trace").cyan}"
             puts ""
             puts "#{Rainbow('3.').cyan} #{Rainbow('Or try with development webpack (faster, less optimized):').white}"
             puts "   #{Rainbow('NODE_ENV=development bundle exec rails assets:precompile').cyan}"
diff --git a/spec/react_on_rails/dev/server_manager_spec.rb b/spec/react_on_rails/dev/server_manager_spec.rb
@@ -54,15 +54,36 @@ def mock_system_calls
     end
 
     it "starts production-like mode" do
-      command = "NODE_ENV=production bundle exec rails assets:precompile"
+      env = { "NODE_ENV" => "production" }
+      argv = ["bundle", "exec", "rails", "assets:precompile"]
       status_double = instance_double(Process::Status, success?: true)
-      expect(Open3).to receive(:capture3).with(command).and_return(["output", "", status_double])
+      expect(Open3).to receive(:capture3).with(env, *argv).and_return(["output", "", status_double])
       expect(ReactOnRails::Dev::ProcessManager).to receive(:ensure_procfile).with("Procfile.dev-prod-assets")
       expect(ReactOnRails::Dev::ProcessManager).to receive(:run_with_process_manager).with("Procfile.dev-prod-assets")
 
       described_class.start(:production_like)
     end
 
+    it "starts production-like mode with custom rails_env" do
+      env = { "NODE_ENV" => "production", "RAILS_ENV" => "staging" }
+      argv = ["bundle", "exec", "rails", "assets:precompile"]
+      status_double = instance_double(Process::Status, success?: true)
+      expect(Open3).to receive(:capture3).with(env, *argv).and_return(["output", "", status_double])
+      expect(ReactOnRails::Dev::ProcessManager).to receive(:ensure_procfile).with("Procfile.dev-prod-assets")
+      expect(ReactOnRails::Dev::ProcessManager).to receive(:run_with_process_manager).with("Procfile.dev-prod-assets")
+
+      described_class.start(:production_like, nil, verbose: false, rails_env: "staging")
+    end
+
+    it "rejects invalid rails_env with shell injection characters" do
+      expect_any_instance_of(Kernel).to receive(:exit).with(1)
+      allow_any_instance_of(Kernel).to receive(:puts) # Allow other puts calls
+      error_pattern = /Invalid rails_env.*Must contain only letters, numbers, and underscores/
+      expect_any_instance_of(Kernel).to receive(:puts).with(error_pattern)
+
+      described_class.start(:production_like, nil, verbose: false, rails_env: "production; rm -rf /")
+    end
+
     it "raises error for unknown mode" do
       expect { described_class.start(:unknown) }.to raise_error(ArgumentError, "Unknown mode: unknown")
     end
