SECURITY: Fix command injection vulnerabilities in generators

justin808 · claude · justin808 · commit 622eeccbcad7 · 2025-09-17T21:10:41.000-10:00
Replace unsafe string interpolation with array-based system calls to prevent command injection attacks in npm/yarn/pnpm/bun commands. Security fixes: - install_generator.rb: Fix TypeScript package installation - base_generator.rb: Fix all package manager install commands - react_with_redux_generator.rb: Refactor to use safe array-based calls Risk: HIGH - Command injection could allow arbitrary code execution on developer machines during generator usage. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/generators/react_on_rails/base_generator.rb b/lib/generators/react_on_rails/base_generator.rb
@@ -105,13 +105,13 @@ def add_js_dependencies
       def install_js_dependencies
         # Detect which package manager to use
         success = if File.exist?(File.join(destination_root, "yarn.lock"))
-                    run "yarn install"
+                    system("yarn", "install")
                   elsif File.exist?(File.join(destination_root, "pnpm-lock.yaml"))
-                    run "pnpm install"
+                    system("pnpm", "install")
                   elsif File.exist?(File.join(destination_root, "package-lock.json")) ||
                         File.exist?(File.join(destination_root, "package.json"))
                     # Use npm for package-lock.json or as default fallback
-                    run "npm install"
+                    system("npm", "install")
                   else
                     true # No package manager detected, skip
                   end
@@ -173,7 +173,7 @@ def add_react_on_rails_package
         return if add_npm_dependencies(react_on_rails_pkg)
 
         puts "Using direct npm commands as fallback"
-        success = run "npm install #{react_on_rails_pkg.join(' ')}"
+        success = system("npm", "install", *react_on_rails_pkg)
         handle_npm_failure("react-on-rails package", react_on_rails_pkg) unless success
       end
 
@@ -189,7 +189,7 @@ def add_react_dependencies
         ]
         return if add_npm_dependencies(react_deps)
 
-        success = run "npm install #{react_deps.join(' ')}"
+        success = system("npm", "install", *react_deps)
         handle_npm_failure("React dependencies", react_deps) unless success
       end
 
@@ -203,7 +203,7 @@ def add_css_dependencies
         ]
         return if add_npm_dependencies(css_deps)
 
-        success = run "npm install #{css_deps.join(' ')}"
+        success = system("npm", "install", *css_deps)
         handle_npm_failure("CSS dependencies", css_deps) unless success
       end
 
@@ -215,7 +215,7 @@ def add_dev_dependencies
         ]
         return if add_npm_dependencies(dev_deps, dev: true)
 
-        success = run "npm install --save-dev #{dev_deps.join(' ')}"
+        success = system("npm", "install", "--save-dev", *dev_deps)
         handle_npm_failure("development dependencies", dev_deps, dev: true) unless success
       end
 
diff --git a/lib/generators/react_on_rails/install_generator.rb b/lib/generators/react_on_rails/install_generator.rb
@@ -339,7 +339,7 @@ def install_typescript_dependencies
         return if add_npm_dependencies(typescript_packages, dev: true)
 
         # Fallback to npm if GeneratorHelper fails
-        success = run "npm install --save-dev #{typescript_packages.join(' ')}"
+        success = system("npm", "install", "--save-dev", *typescript_packages)
         return if success
 
         warning = <<~MSG.strip
diff --git a/lib/generators/react_on_rails/react_with_redux_generator.rb b/lib/generators/react_on_rails/react_with_redux_generator.rb
@@ -92,12 +92,12 @@ def add_redux_npm_dependencies
       private
 
       def install_packages_with_fallback(packages, dev:, package_manager:)
-        packages_str = packages.join(" ")
-        install_command = build_install_command(package_manager, dev, packages_str)
+        install_args = build_install_args(package_manager, dev, packages)
 
-        success = system(install_command)
+        success = system(*install_args)
         return if success
 
+        install_command = install_args.join(" ")
         warning = <<~MSG.strip
           ⚠️  Failed to install Redux dependencies automatically.
 
@@ -107,22 +107,30 @@ def install_packages_with_fallback(packages, dev:, package_manager:)
         GeneratorMessages.add_warning(warning)
       end
 
-      def build_install_command(package_manager, dev, packages_str)
+      def build_install_args(package_manager, dev, packages)
         # Security: Validate package manager to prevent command injection
         allowed_package_managers = %w[npm yarn pnpm bun].freeze
         unless allowed_package_managers.include?(package_manager)
           raise ArgumentError, "Invalid package manager: #{package_manager}"
         end
 
-        commands = {
-          "npm" => { dev: "npm install --save-dev", prod: "npm install" },
-          "yarn" => { dev: "yarn add --dev", prod: "yarn add" },
-          "pnpm" => { dev: "pnpm add --save-dev", prod: "pnpm add" },
-          "bun" => { dev: "bun add --dev", prod: "bun add" }
+        base_commands = {
+          "npm" => %w[npm install],
+          "yarn" => %w[yarn add],
+          "pnpm" => %w[pnpm add],
+          "bun" => %w[bun add]
         }
 
-        command_type = dev ? :dev : :prod
-        "#{commands[package_manager][command_type]} #{packages_str}"
+        base_args = base_commands[package_manager].dup
+        base_args << dev_flag_for(package_manager) if dev
+        base_args + packages
+      end
+
+      def dev_flag_for(package_manager)
+        case package_manager
+        when "npm", "pnpm" then "--save-dev"
+        when "yarn", "bun" then "--dev"
+        end
       end
 
       def add_redux_specific_messages
