shakapacker 8.4.0 → 9.0.0

data/package/utils/getStyleRule.ts

@@ -0,0 +1,64 @@
+/* eslint global-require: 0 */
+const { canProcess, moduleExists } = require("./helpers")
+const { requireOrError } = require("./requireOrError")
+const config = require("../config")
+const inliningCss = require("./inliningCss")
+
+interface StyleRule {
+  test: RegExp
+  use: any[]
+  type?: string
+}
+
+const getStyleRule = (test: RegExp, preprocessors: any[] = []): StyleRule | null => {
+  if (moduleExists("css-loader")) {
+    const tryPostcss = () =>
+      canProcess("postcss-loader", (loaderPath: string) => ({
+        loader: loaderPath,
+        options: { sourceMap: true }
+      }))
+
+    // style-loader is required when using css modules with HMR on the webpack-dev-server
+
+    const extractionPlugin =
+      config.assets_bundler === "rspack"
+        ? requireOrError("@rspack/core").CssExtractRspackPlugin.loader
+        : requireOrError("mini-css-extract-plugin").loader
+
+    const use = [
+      inliningCss ? "style-loader" : extractionPlugin,
+      {
+        loader: require.resolve("css-loader"),
+        options: {
+          sourceMap: true,
+          importLoaders: 2,
+          modules: {
+            auto: true,
+            // v9 defaults: Use named exports with camelCase conversion
+            // Note: css-loader requires 'camelCaseOnly' or 'dashesOnly' when namedExport is true
+            // Using 'camelCase' with namedExport: true causes a build error
+            namedExport: true,
+            exportLocalsConvention: 'camelCaseOnly'
+          }
+        }
+      },
+      tryPostcss(),
+      ...preprocessors
+    ].filter(Boolean)
+
+    const result: StyleRule = {
+      test,
+      use
+    }
+
+    if (config.assets_bundler === "rspack") {
+      result.type = "javascript/auto"
+    }
+
+    return result
+  }
+
+  return null
+}
+
+export = { getStyleRule }

data/package/utils/helpers.ts

@@ -0,0 +1,85 @@
+const { isModuleNotFoundError, getErrorMessage } = require("./errorHelpers")
+
+const isBoolean = (str: string): boolean => /^true/.test(str) || /^false/.test(str)
+
+const ensureTrailingSlash = (path: string): string => (path.endsWith("/") ? path : `${path}/`)
+
+const resolvedPath = (packageName: string): string | null => {
+  try {
+    return require.resolve(packageName)
+  } catch (error: unknown) {
+    if (!isModuleNotFoundError(error)) {
+      throw error
+    }
+    return null
+  }
+}
+
+const moduleExists = (packageName: string): boolean => !!resolvedPath(packageName)
+
+const canProcess = <T = unknown>(rule: string, fn: (modulePath: string) => T): T | null => {
+  const modulePath = resolvedPath(rule)
+
+  if (modulePath) {
+    return fn(modulePath)
+  }
+
+  return null
+}
+
+const loaderMatches = <T = unknown>(configLoader: string, loaderToCheck: string, fn: () => T): T | null => {
+  if (configLoader !== loaderToCheck) {
+    return null
+  }
+
+  const loaderName = `${configLoader}-loader`
+
+  if (!moduleExists(loaderName)) {
+    throw new Error(
+      `Your Shakapacker config specified using ${configLoader}, but ${loaderName} package is not installed.\n` +
+      `\nTo fix this issue, run one of the following commands:\n` +
+      `  npm install --save-dev ${loaderName}\n` +
+      `  yarn add --dev ${loaderName}\n` +
+      `\nOr change your 'javascript_transpiler' setting in shakapacker.yml to use a different loader.`
+    )
+  }
+
+  return fn()
+}
+
+const packageFullVersion = (packageName: string): string => {
+  try {
+    // eslint-disable-next-line import/no-dynamic-require
+    const packageJsonPath = require.resolve(`${packageName}/package.json`)
+    // eslint-disable-next-line import/no-dynamic-require, global-require
+    const packageJson = require(packageJsonPath) as { version: string }
+    return packageJson.version
+  } catch (error: any) {
+    // Re-throw the error with proper code to maintain compatibility with babel preset
+    // The preset expects MODULE_NOT_FOUND errors to handle missing core-js gracefully
+    if (error.code === "MODULE_NOT_FOUND") {
+      throw error
+    }
+    // For other errors, warn and re-throw
+    console.warn(
+      `[SHAKAPACKER WARNING] Failed to get version for package ${packageName}: ${getErrorMessage(error)}`
+    )
+    throw error
+  }
+}
+
+const packageMajorVersion = (packageName: string): string => {
+  const match = packageFullVersion(packageName).match(/^\d+/)
+  return match ? match[0] : "0"
+}
+
+export {
+  isBoolean,
+  ensureTrailingSlash,
+  canProcess,
+  moduleExists,
+  loaderMatches,
+  packageFullVersion,
+  packageMajorVersion,
+  resolvedPath
+}

data/package/utils/{inliningCss.js → inliningCss.ts}

@@ -2,7 +2,7 @@ const { runningWebpackDevServer } = require("../env")
 const devServer = require("../dev_server")
 
 // This logic is tied to lib/shakapacker/instance.rb
-const inliningCss =
-  runningWebpackDevServer && devServer.hmr && devServer.inline_css !== false
+const inliningCss: boolean =
+  runningWebpackDevServer && !!devServer.hmr && devServer.inline_css !== false
 
-module.exports = inliningCss
+export = inliningCss

data/package/utils/pathValidation.ts

@@ -0,0 +1,139 @@
+import * as path from "path"
+import * as fs from "fs"
+
+/**
+ * Security utilities for validating and sanitizing file paths
+ */
+
+/**
+ * Validates a path doesn't contain traversal patterns
+ */
+export function isPathTraversalSafe(inputPath: string): boolean {
+  // Check for common traversal patterns
+  // Null byte short-circuit (avoid regex with control chars)
+  if (inputPath.includes("\0")) return false
+  
+  const dangerousPatterns = [
+    /\.\.[\/\\]/,            // ../ or ..\
+    /^\//,                   // POSIX absolute
+    /^[A-Za-z]:[\/\\]/,      // Windows absolute (C:\ or C:/)
+    /^\\\\/,                 // Windows UNC (\\server\share)
+    /~[\/\\]/,               // Home directory expansion
+    /%2e%2e/i,               // URL encoded traversal
+  ]
+
+  return !dangerousPatterns.some(pattern => pattern.test(inputPath))
+}
+
+/**
+ * Resolves and validates a path within a base directory
+ * Prevents directory traversal attacks by ensuring the resolved path
+ * stays within the base directory
+ */
+export function safeResolvePath(basePath: string, userPath: string): string {
+  // Normalize the base path
+  const normalizedBase = path.resolve(basePath)
+  
+  // Resolve the user path relative to base
+  const resolved = path.resolve(normalizedBase, userPath)
+  
+  // Ensure the resolved path is within the base directory
+  if (!resolved.startsWith(normalizedBase + path.sep) && resolved !== normalizedBase) {
+    throw new Error(
+      `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
+      `Requested path would resolve outside of allowed directory.\n` +
+      `Base: ${normalizedBase}\n` +
+      `Attempted: ${userPath}\n` +
+      `Resolved to: ${resolved}`
+    )
+  }
+  
+  return resolved
+}
+
+/**
+ * Validates that a path exists and is accessible
+ */
+export function validatePathExists(filePath: string): boolean {
+  try {
+    fs.accessSync(filePath, fs.constants.R_OK)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Validates an array of paths for security issues
+ */
+export function validatePaths(paths: string[], basePath: string): string[] {
+  const validatedPaths: string[] = []
+  
+  for (const userPath of paths) {
+    if (!isPathTraversalSafe(userPath)) {
+      console.warn(
+        `[SHAKAPACKER WARNING] Skipping potentially unsafe path: ${userPath}`
+      )
+      continue
+    }
+    
+    try {
+      const safePath = safeResolvePath(basePath, userPath)
+      validatedPaths.push(safePath)
+    } catch (error) {
+      console.warn(
+        `[SHAKAPACKER WARNING] Invalid path configuration: ${userPath}\n` +
+        `Error: ${error instanceof Error ? error.message : String(error)}`
+      )
+    }
+  }
+  
+  return validatedPaths
+}
+
+/**
+ * Sanitizes environment variable values to prevent injection
+ */
+export function sanitizeEnvValue(value: string | undefined): string | undefined {
+  if (!value) return value
+  
+  // Remove control characters and null bytes
+  // Filter by character code to avoid control character regex (Biome compliance)
+  const sanitized = value.split('').filter(char => {
+    const code = char.charCodeAt(0)
+    // Keep chars with code > 31 (after control chars) and not 127 (DEL)
+    return code > 31 && code !== 127
+  }).join('')
+  
+  // Warn if sanitization changed the value
+  if (sanitized !== value) {
+    console.warn(
+      `[SHAKAPACKER SECURITY] Environment variable value contained control characters that were removed`
+    )
+  }
+  
+  return sanitized
+}
+
+/**
+ * Validates a port number or string
+ */
+export function validatePort(port: unknown): boolean {
+  if (port === 'auto') return true
+  
+  if (typeof port === 'number') {
+    return port > 0 && port <= 65535 && Number.isInteger(port)
+  }
+  
+  if (typeof port === 'string') {
+    // First check if the string contains only digits
+    if (!/^\d+$/.test(port)) {
+      return false
+    }
+    // Only then parse and validate range
+    const num = parseInt(port, 10)
+    return num > 0 && num <= 65535
+  }
+  
+  return false
+}

data/package/utils/requireOrError.ts

@@ -0,0 +1,15 @@
+/* eslint global-require: 0 */
+/* eslint import/no-dynamic-require: 0 */
+const config = require("../config")
+
+const requireOrError = (moduleName: string): any => {
+  try {
+    return require(moduleName)
+  } catch (error) {
+    throw new Error(
+      `[SHAKAPACKER]: ${moduleName} is required for ${config.assets_bundler} but is not installed. View Shakapacker's documented dependencies at https://github.com/shakacode/shakapacker/tree/main/docs/peer-dependencies.md`
+    )
+  }
+}
+
+export = { requireOrError }

data/package/utils/snakeToCamelCase.ts

@@ -0,0 +1,5 @@
+function snakeToCamelCase(s: string): string {
+  return s.replace(/(_\w)/g, (match) => match[1].toUpperCase())
+}
+
+export = snakeToCamelCase

data/package/utils/typeGuards.ts

@@ -0,0 +1,342 @@
+import { Config, DevServerConfig, YamlConfig } from "../types"
+import { isPathTraversalSafe, validatePort } from "./pathValidation"
+
+// Cache for validated configs with TTL
+interface CacheEntry {
+  result: boolean
+  timestamp: number
+  configHash?: string
+}
+
+let validatedConfigs = new WeakMap<object, CacheEntry>()
+
+// Cache computed values to avoid repeated checks
+let cachedIsWatchMode: boolean | null = null
+let cachedCacheTTL: number | null = null
+
+/**
+ * Detect if running in watch mode (cached)
+ */
+function isWatchMode(): boolean {
+  if (cachedIsWatchMode === null) {
+    cachedIsWatchMode = process.argv.includes('--watch') || process.env.WEBPACK_WATCH === 'true'
+  }
+  return cachedIsWatchMode
+}
+
+/**
+ * Get cache TTL based on environment (cached)
+ */
+function getCacheTTL(): number {
+  if (cachedCacheTTL === null) {
+    if (process.env.SHAKAPACKER_CACHE_TTL) {
+      cachedCacheTTL = parseInt(process.env.SHAKAPACKER_CACHE_TTL, 10)
+    } else if (process.env.NODE_ENV === 'production' && !isWatchMode()) {
+      cachedCacheTTL = Infinity
+    } else if (isWatchMode()) {
+      cachedCacheTTL = 5000  // 5 seconds in watch mode
+    } else {
+      cachedCacheTTL = 60000 // 1 minute in dev
+    }
+  }
+  return cachedCacheTTL
+}
+
+// Only validate in development or when explicitly enabled
+function shouldValidate(): boolean {
+  return process.env.NODE_ENV !== 'production' || process.env.SHAKAPACKER_STRICT_VALIDATION === 'true'
+}
+
+// Debug logging for cache operations
+const debugCache = process.env.SHAKAPACKER_DEBUG_CACHE === 'true'
+
+/**
+ * Clear the validation cache
+ * Useful for testing or when config files change
+ */
+export function clearValidationCache(): void {
+  // Reassign to a new WeakMap to clear all entries
+  validatedConfigs = new WeakMap<object, CacheEntry>()
+  if (debugCache) {
+    console.log('[SHAKAPACKER DEBUG] Validation cache cleared')
+  }
+}
+
+/**
+ * Type guard to validate Config object at runtime
+ * In production, caches results for performance unless SHAKAPACKER_STRICT_VALIDATION is set
+ *
+ * IMPORTANT: Path traversal security checks ALWAYS run regardless of environment or validation mode.
+ * This ensures application security is never compromised for performance.
+ */
+export function isValidConfig(obj: unknown): obj is Config {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+
+  // Check cache with TTL
+  const cached = validatedConfigs.get(obj as object)
+  if (cached && (Date.now() - cached.timestamp) < getCacheTTL()) {
+    if (debugCache) {
+      console.log(`[SHAKAPACKER DEBUG] Config validation cache hit (result: ${cached.result})`)
+    }
+    return cached.result
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // Check required string fields
+  const requiredStringFields = [
+    'source_path',
+    'source_entry_path',
+    'public_root_path',
+    'public_output_path',
+    'cache_path',
+    'javascript_transpiler'
+  ]
+
+  for (const field of requiredStringFields) {
+    if (typeof config[field] !== 'string') {
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+    // SECURITY: Path traversal validation ALWAYS runs (not subject to shouldValidate)
+    // This ensures paths are safe regardless of environment or validation mode
+    if (field.includes('path') && !isPathTraversalSafe(config[field] as string)) {
+      console.warn(`[SHAKAPACKER SECURITY] Invalid path in ${field}: ${config[field]}`)
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+  }
+  
+  // Check required boolean fields
+  const requiredBooleanFields = [
+    'nested_entries',
+    'css_extract_ignore_order_warnings',
+    'webpack_compile_output',
+    'shakapacker_precompile',
+    'cache_manifest',
+    'ensure_consistent_versioning',
+    'useContentHash',
+    'compile'
+  ]
+  
+  for (const field of requiredBooleanFields) {
+    if (typeof config[field] !== 'boolean') {
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+  }
+  
+  // Check arrays
+  if (!Array.isArray(config.additional_paths)) {
+    // Cache negative result
+    validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+    return false
+  }
+
+  // SECURITY: Path traversal validation for additional_paths ALWAYS runs (not subject to shouldValidate)
+  // This critical security check ensures user-provided paths cannot escape the project directory
+  for (const additionalPath of config.additional_paths as string[]) {
+    if (!isPathTraversalSafe(additionalPath)) {
+      console.warn(`[SHAKAPACKER SECURITY] Invalid additional_path: ${additionalPath}`)
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+  }
+
+  // In production, skip deep validation of optional fields unless explicitly enabled
+  // Security checks above still run regardless of this flag
+  if (!shouldValidate()) {
+    // Cache positive result - basic structure and security validated
+    validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
+    return true
+  }
+
+  // Deep validation of optional fields (only in development or with SHAKAPACKER_STRICT_VALIDATION=true)
+  if (config.dev_server !== undefined && !isValidDevServerConfig(config.dev_server)) {
+    // Cache negative result
+    validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+    return false
+  }
+
+  if (config.integrity !== undefined) {
+    const integrity = config.integrity as Record<string, unknown>
+    if (typeof integrity.enabled !== 'boolean' ||
+        typeof integrity.cross_origin !== 'string') {
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+  }
+  
+  // Cache positive result
+  validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
+  
+  return true
+}
+
+/**
+ * Type guard to validate DevServerConfig object at runtime
+ * In production, performs minimal validation for performance
+ */
+export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+  
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+  
+  const config = obj as Record<string, unknown>
+  
+  // All fields are optional, just check types if present
+  if (config.hmr !== undefined && 
+      typeof config.hmr !== 'boolean' && 
+      config.hmr !== 'only') {
+    return false
+  }
+  
+  if (config.port !== undefined && !validatePort(config.port)) {
+    return false
+  }
+  
+  return true
+}
+
+/**
+ * Type guard to validate Rspack plugin instance
+ * Checks if an object looks like a valid Rspack plugin
+ */
+export function isValidRspackPlugin(obj: unknown): boolean {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+
+  const plugin = obj as Record<string, unknown>
+
+  // Check for common plugin patterns
+  // Most rspack plugins should have an apply method
+  if (typeof plugin.apply === 'function') {
+    return true
+  }
+
+  // Check for constructor name pattern (e.g., HtmlRspackPlugin)
+  const constructorName = plugin.constructor?.name || ''
+  if (constructorName.includes('Plugin') || constructorName.includes('Rspack')) {
+    return true
+  }
+
+  // Check for common plugin properties
+  if ('name' in plugin && typeof plugin.name === 'string') {
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Type guard to validate array of Rspack plugins
+ * Ensures all items in the array are valid plugin instances
+ */
+export function isValidRspackPluginArray(arr: unknown): boolean {
+  if (!Array.isArray(arr)) {
+    return false
+  }
+
+  return arr.every(item => isValidRspackPlugin(item))
+}
+
+/**
+ * Type guard to validate YamlConfig structure
+ * In production, performs minimal validation for performance
+ */
+export function isValidYamlConfig(obj: unknown): obj is YamlConfig {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+  
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+  
+  const config = obj as Record<string, unknown>
+  
+  // Each key should map to an object
+  for (const env of Object.keys(config)) {
+    if (typeof config[env] !== 'object' || config[env] === null) {
+      return false
+    }
+  }
+  
+  return true
+}
+
+/**
+ * Validates partial config used for merging
+ * Ensures that if fields are present, they have the correct types
+ * In production, performs minimal validation for performance
+ */
+export function isPartialConfig(obj: unknown): obj is Partial<Config> {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+  
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+  
+  const config = obj as Record<string, unknown>
+  
+  // Check string fields if present
+  const stringFields = [
+    'source_path', 'source_entry_path', 'public_root_path',
+    'public_output_path', 'cache_path', 'javascript_transpiler'
+  ]
+  
+  for (const field of stringFields) {
+    if (field in config && typeof config[field] !== 'string') {
+      return false
+    }
+  }
+  
+  // Check boolean fields if present
+  const booleanFields = [
+    'nested_entries', 'css_extract_ignore_order_warnings',
+    'webpack_compile_output', 'shakapacker_precompile',
+    'cache_manifest', 'ensure_consistent_versioning'
+  ]
+  
+  for (const field of booleanFields) {
+    if (field in config && typeof config[field] !== 'boolean') {
+      return false
+    }
+  }
+  
+  // Check arrays if present
+  if ('additional_paths' in config && !Array.isArray(config.additional_paths)) {
+    return false
+  }
+  
+  return true
+}
+
+/**
+ * Creates a validation error with helpful context
+ */
+export function createConfigValidationError(
+  configPath: string,
+  environment: string,
+  details?: string
+): Error {
+  const message = `Invalid configuration in ${configPath} for environment '${environment}'`
+  return new Error(details ? `${message}: ${details}` : message)
+}
+
+