shakapacker 8.4.0 → 9.7.0

data/package/utils/pathValidation.ts

@@ -0,0 +1,207 @@
+import * as path from "path"
+import * as fs from "fs"
+
+/**
+ * Security utilities for validating and sanitizing file paths
+ */
+
+/**
+ * Validates a path doesn't contain traversal patterns
+ */
+export function isPathTraversalSafe(inputPath: string): boolean {
+  // Check for common traversal patterns
+  // Null byte short-circuit (avoid regex with control chars)
+  if (inputPath.includes("\0")) return false
+
+  const dangerousPatterns = [
+    /\.\.[/\\]/, // ../ or ..\
+    /^\//, // POSIX absolute
+    /^[A-Za-z]:[/\\]/, // Windows absolute (C:\ or C:/)
+    /^\\\\/, // Windows UNC (\\server\share)
+    /~[/\\]/, // Home directory expansion
+    /%2e%2e/i // URL encoded traversal
+  ]
+
+  return !dangerousPatterns.some((pattern) => pattern.test(inputPath))
+}
+
+/**
+ * Resolves and validates a path within a base directory
+ * Prevents directory traversal attacks by ensuring the resolved path
+ * stays within the base directory.
+ * Also resolves symlinks to prevent symlink-based path traversal attacks.
+ *
+ * @param basePath - The base directory to validate against
+ * @param userPath - The user-provided path to validate
+ * @param resolveSymlinks - Whether to resolve symlinks (default: true for security)
+ * @returns The validated absolute path
+ * @throws Error if path is outside base directory
+ */
+export function safeResolvePath(
+  basePath: string,
+  userPath: string,
+  resolveSymlinks = true
+): string {
+  // Resolve the base path through symlinks if enabled
+  let normalizedBase: string
+  try {
+    normalizedBase = resolveSymlinks
+      ? fs.realpathSync(basePath)
+      : path.resolve(basePath)
+  } catch (error: unknown) {
+    // If basePath doesn't exist (ENOENT), fall back to path.resolve
+    // Rethrow other errors (e.g., permission issues) as they indicate real problems
+    const nodeError = error as NodeJS.ErrnoException
+    if (nodeError?.code === "ENOENT") {
+      normalizedBase = path.resolve(basePath)
+    } else {
+      throw error
+    }
+  }
+
+  // For paths that may not exist yet, validate the parent directory
+  const absolutePath = path.resolve(basePath, userPath)
+  const parentDir = path.dirname(absolutePath)
+  const fileName = path.basename(absolutePath)
+
+  // Resolve parent directory through symlinks if it exists and symlink resolution is enabled
+  let resolvedParent: string
+  try {
+    resolvedParent = resolveSymlinks
+      ? fs.realpathSync(parentDir)
+      : path.resolve(parentDir)
+  } catch (error: unknown) {
+    // If parent doesn't exist (ENOENT), validate the absolute path as-is
+    // Rethrow other errors (e.g., permission issues) as they indicate real problems
+    const nodeError = error as NodeJS.ErrnoException
+    if (nodeError?.code === "ENOENT") {
+      if (
+        !absolutePath.startsWith(normalizedBase + path.sep) &&
+        absolutePath !== normalizedBase
+      ) {
+        throw new Error(
+          `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
+            `Requested path would resolve outside of allowed directory.\n` +
+            `Base: ${normalizedBase}\n` +
+            `Attempted: ${userPath}\n` +
+            `Resolved to: ${absolutePath}`
+        )
+      }
+      return absolutePath
+    }
+    throw error
+  }
+
+  // Reconstruct the full path with the resolved (symlink-free) parent
+  const resolved = path.resolve(resolvedParent, fileName)
+
+  // Ensure the resolved path is within the base directory
+  if (
+    !resolved.startsWith(normalizedBase + path.sep) &&
+    resolved !== normalizedBase
+  ) {
+    const symlinkNote = resolveSymlinks
+      ? ` (symlink-resolved from ${userPath})`
+      : ""
+    throw new Error(
+      `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
+        `Requested path would resolve outside of allowed directory.\n` +
+        `Base: ${normalizedBase}\n` +
+        `Attempted: ${userPath}\n` +
+        `Resolved to: ${resolved}${symlinkNote}`
+    )
+  }
+
+  return resolved
+}
+
+/**
+ * Validates that a path exists and is accessible
+ */
+export function validatePathExists(filePath: string): boolean {
+  try {
+    fs.accessSync(filePath, fs.constants.R_OK)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Validates an array of paths for security issues
+ */
+export function validatePaths(paths: string[], basePath: string): string[] {
+  const validatedPaths: string[] = []
+
+  for (const userPath of paths) {
+    if (!isPathTraversalSafe(userPath)) {
+      console.warn(
+        `[SHAKAPACKER WARNING] Skipping potentially unsafe path: ${userPath}`
+      )
+    } else {
+      try {
+        const safePath = safeResolvePath(basePath, userPath)
+        validatedPaths.push(safePath)
+      } catch (error) {
+        console.warn(
+          `[SHAKAPACKER WARNING] Invalid path configuration: ${userPath}\n` +
+            `Error: ${error instanceof Error ? error.message : String(error)}`
+        )
+      }
+    }
+  }
+
+  return validatedPaths
+}
+
+/**
+ * Sanitizes environment variable values to prevent injection
+ */
+export function sanitizeEnvValue(
+  value: string | undefined
+): string | undefined {
+  if (!value) return value
+
+  // Remove control characters and null bytes
+  // Filter by character code to avoid control character regex (Biome compliance)
+  const sanitized = value
+    .split("")
+    .filter((char) => {
+      const code = char.charCodeAt(0)
+      // Keep chars with code > 31 (after control chars) and not 127 (DEL)
+      return code > 31 && code !== 127
+    })
+    .join("")
+
+  // Warn if sanitization changed the value
+  if (sanitized !== value) {
+    console.warn(
+      `[SHAKAPACKER SECURITY] Environment variable value contained control characters that were removed`
+    )
+  }
+
+  return sanitized
+}
+
+/**
+ * Validates a port number or string
+ */
+export function validatePort(port: unknown): boolean {
+  if (port === "auto") return true
+
+  if (typeof port === "number") {
+    return port > 0 && port <= 65535 && Number.isInteger(port)
+  }
+
+  if (typeof port === "string") {
+    // First check if the string contains only digits
+    if (!/^\d+$/.test(port)) {
+      return false
+    }
+    // Only then parse and validate range
+    const num = parseInt(port, 10)
+    return num > 0 && num <= 65535
+  }
+
+  return false
+}

data/package/utils/requireOrError.ts

@@ -0,0 +1,24 @@
+/* eslint import/no-dynamic-require: 0 */
+import type { Config } from "../types"
+
+const config = require("../config") as Config
+
+interface ErrorWithCause extends Error {
+  cause?: unknown
+}
+
+const requireOrError = (moduleName: string): unknown => {
+  try {
+    return require(moduleName)
+  } catch (originalError: unknown) {
+    const error: ErrorWithCause = new Error(
+      `[SHAKAPACKER]: ${moduleName} is required for ${config.assets_bundler} but is not installed. View Shakapacker's documented dependencies at https://github.com/shakacode/shakapacker/tree/main/docs/peer-dependencies.md`
+    )
+    // Add the original error as the cause for better debugging (ES2022+)
+    // Using custom interface since target is ES2020 but runtime supports it
+    error.cause = originalError
+    throw error
+  }
+}
+
+export = { requireOrError }

data/package/utils/snakeToCamelCase.ts

@@ -0,0 +1,5 @@
+function snakeToCamelCase(s: string): string {
+  return s.replace(/(_\w)/g, (match) => match[1].toUpperCase())
+}
+
+export = snakeToCamelCase

data/package/utils/typeGuards.ts

@@ -0,0 +1,388 @@
+import { Config, DevServerConfig, YamlConfig } from "../types"
+import { isPathTraversalSafe, validatePort } from "./pathValidation"
+
+// Cache for validated configs with TTL
+interface CacheEntry {
+  result: boolean
+  timestamp: number
+  configHash?: string
+}
+
+let validatedConfigs = new WeakMap<object, CacheEntry>()
+
+// Cache computed values to avoid repeated checks
+let cachedIsWatchMode: boolean | null = null
+let cachedCacheTTL: number | null = null
+
+/**
+ * Detect if running in watch mode (cached)
+ */
+function isWatchMode(): boolean {
+  if (cachedIsWatchMode === null) {
+    cachedIsWatchMode =
+      process.argv.includes("--watch") || process.env.WEBPACK_WATCH === "true"
+  }
+  return cachedIsWatchMode
+}
+
+/**
+ * Get cache TTL based on environment (cached)
+ */
+function getCacheTTL(): number {
+  if (cachedCacheTTL === null) {
+    if (process.env.SHAKAPACKER_CACHE_TTL) {
+      cachedCacheTTL = parseInt(process.env.SHAKAPACKER_CACHE_TTL, 10)
+    } else if (process.env.NODE_ENV === "production" && !isWatchMode()) {
+      cachedCacheTTL = Infinity
+    } else if (isWatchMode()) {
+      cachedCacheTTL = 5000 // 5 seconds in watch mode
+    } else {
+      cachedCacheTTL = 60000 // 1 minute in dev
+    }
+  }
+  return cachedCacheTTL
+}
+
+// Only validate in development or when explicitly enabled
+function shouldValidate(): boolean {
+  return (
+    process.env.NODE_ENV !== "production" ||
+    process.env.SHAKAPACKER_STRICT_VALIDATION === "true"
+  )
+}
+
+// Debug logging for cache operations
+const debugCache = process.env.SHAKAPACKER_DEBUG_CACHE === "true"
+
+/**
+ * Clear the validation cache
+ * Useful for testing or when config files change
+ */
+export function clearValidationCache(): void {
+  // Reassign to a new WeakMap to clear all entries
+  validatedConfigs = new WeakMap<object, CacheEntry>()
+  if (debugCache) {
+    console.log("[SHAKAPACKER DEBUG] Validation cache cleared")
+  }
+}
+
+/**
+ * Type guard to validate DevServerConfig object at runtime
+ * In production, performs minimal validation for performance
+ */
+export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // All fields are optional, just check types if present
+  if (
+    config.hmr !== undefined &&
+    typeof config.hmr !== "boolean" &&
+    config.hmr !== "only"
+  ) {
+    return false
+  }
+
+  if (config.port !== undefined && !validatePort(config.port)) {
+    return false
+  }
+
+  return true
+}
+
+/**
+ * Type guard to validate Config object at runtime
+ * In production, caches results for performance unless SHAKAPACKER_STRICT_VALIDATION is set
+ *
+ * IMPORTANT: Path traversal security checks ALWAYS run regardless of environment or validation mode.
+ * This ensures application security is never compromised for performance.
+ */
+export function isValidConfig(obj: unknown): obj is Config {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  // Check cache with TTL
+  const cached = validatedConfigs.get(obj)
+  if (cached && Date.now() - cached.timestamp < getCacheTTL()) {
+    if (debugCache) {
+      console.log(
+        `[SHAKAPACKER DEBUG] Config validation cache hit (result: ${cached.result})`
+      )
+    }
+    return cached.result
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // Check required string fields
+  const requiredStringFields = [
+    "source_path",
+    "source_entry_path",
+    "public_root_path",
+    "public_output_path",
+    "cache_path",
+    "javascript_transpiler"
+  ]
+
+  for (const field of requiredStringFields) {
+    if (typeof config[field] !== "string") {
+      // Cache negative result
+      validatedConfigs.set(obj, {
+        result: false,
+        timestamp: Date.now()
+      })
+      return false
+    }
+    // SECURITY: Path traversal validation ALWAYS runs (not subject to shouldValidate)
+    // This ensures paths are safe regardless of environment or validation mode
+    if (field.includes("path") && !isPathTraversalSafe(config[field])) {
+      console.warn(
+        `[SHAKAPACKER SECURITY] Invalid path in ${field}: ${config[field]}`
+      )
+      validatedConfigs.set(obj, {
+        result: false,
+        timestamp: Date.now()
+      })
+      return false
+    }
+  }
+
+  // Check required boolean fields
+  const requiredBooleanFields = [
+    "nested_entries",
+    "css_extract_ignore_order_warnings",
+    "webpack_compile_output",
+    "shakapacker_precompile",
+    "cache_manifest",
+    "ensure_consistent_versioning",
+    "useContentHash",
+    "compile"
+  ]
+
+  for (const field of requiredBooleanFields) {
+    if (typeof config[field] !== "boolean") {
+      // Cache negative result
+      validatedConfigs.set(obj, {
+        result: false,
+        timestamp: Date.now()
+      })
+      return false
+    }
+  }
+
+  // Check arrays
+  if (!Array.isArray(config.additional_paths)) {
+    // Cache negative result
+    validatedConfigs.set(obj, {
+      result: false,
+      timestamp: Date.now()
+    })
+    return false
+  }
+
+  // SECURITY: Path traversal validation for additional_paths ALWAYS runs (not subject to shouldValidate)
+  // This critical security check ensures user-provided paths cannot escape the project directory
+  for (const additionalPath of config.additional_paths as string[]) {
+    if (!isPathTraversalSafe(additionalPath)) {
+      console.warn(
+        `[SHAKAPACKER SECURITY] Invalid additional_path: ${additionalPath}`
+      )
+      validatedConfigs.set(obj, {
+        result: false,
+        timestamp: Date.now()
+      })
+      return false
+    }
+  }
+
+  // In production, skip deep validation of optional fields unless explicitly enabled
+  // Security checks above still run regardless of this flag
+  if (!shouldValidate()) {
+    // Cache positive result - basic structure and security validated
+    validatedConfigs.set(obj, { result: true, timestamp: Date.now() })
+    return true
+  }
+
+  // Deep validation of optional fields (only in development or with SHAKAPACKER_STRICT_VALIDATION=true)
+  if (
+    config.dev_server !== undefined &&
+    !isValidDevServerConfig(config.dev_server)
+  ) {
+    // Cache negative result
+    validatedConfigs.set(obj, {
+      result: false,
+      timestamp: Date.now()
+    })
+    return false
+  }
+
+  if (config.integrity !== undefined) {
+    const integrity = config.integrity as Record<string, unknown>
+    if (
+      typeof integrity.enabled !== "boolean" ||
+      typeof integrity.cross_origin !== "string"
+    ) {
+      // Cache negative result
+      validatedConfigs.set(obj, {
+        result: false,
+        timestamp: Date.now()
+      })
+      return false
+    }
+  }
+
+  // Cache positive result
+  validatedConfigs.set(obj, { result: true, timestamp: Date.now() })
+
+  return true
+}
+
+/**
+ * Type guard to validate Rspack plugin instance
+ * Checks if an object looks like a valid Rspack plugin
+ */
+export function isValidRspackPlugin(obj: unknown): boolean {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  const plugin = obj as Record<string, unknown>
+
+  // Check for common plugin patterns
+  // Most rspack plugins should have an apply method
+  if (typeof plugin.apply === "function") {
+    return true
+  }
+
+  // Check for constructor name pattern (e.g., HtmlRspackPlugin)
+  const constructorName = plugin.constructor?.name || ""
+  if (
+    constructorName.includes("Plugin") ||
+    constructorName.includes("Rspack")
+  ) {
+    return true
+  }
+
+  // Check for common plugin properties
+  if ("name" in plugin && typeof plugin.name === "string") {
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Type guard to validate array of Rspack plugins
+ * Ensures all items in the array are valid plugin instances
+ */
+export function isValidRspackPluginArray(arr: unknown): boolean {
+  if (!Array.isArray(arr)) {
+    return false
+  }
+
+  return arr.every((item) => isValidRspackPlugin(item))
+}
+
+/**
+ * Type guard to validate YamlConfig structure
+ * In production, performs minimal validation for performance
+ */
+export function isValidYamlConfig(obj: unknown): obj is YamlConfig {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // Each key should map to an object
+  for (const env of Object.keys(config)) {
+    if (typeof config[env] !== "object" || config[env] === null) {
+      return false
+    }
+  }
+
+  return true
+}
+
+/**
+ * Validates partial config used for merging
+ * Ensures that if fields are present, they have the correct types
+ * In production, performs minimal validation for performance
+ */
+export function isPartialConfig(obj: unknown): obj is Partial<Config> {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // Check string fields if present
+  const stringFields = [
+    "source_path",
+    "source_entry_path",
+    "public_root_path",
+    "public_output_path",
+    "cache_path",
+    "javascript_transpiler"
+  ]
+
+  for (const field of stringFields) {
+    if (field in config && typeof config[field] !== "string") {
+      return false
+    }
+  }
+
+  // Check boolean fields if present
+  const booleanFields = [
+    "nested_entries",
+    "css_extract_ignore_order_warnings",
+    "webpack_compile_output",
+    "shakapacker_precompile",
+    "cache_manifest",
+    "ensure_consistent_versioning"
+  ]
+
+  for (const field of booleanFields) {
+    if (field in config && typeof config[field] !== "boolean") {
+      return false
+    }
+  }
+
+  // Check arrays if present
+  if ("additional_paths" in config && !Array.isArray(config.additional_paths)) {
+    return false
+  }
+
+  return true
+}
+
+/**
+ * Creates a validation error with helpful context
+ */
+export function createConfigValidationError(
+  configPath: string,
+  environment: string,
+  details?: string
+): Error {
+  const message = `Invalid configuration in ${configPath} for environment '${environment}'`
+  return new Error(details ? `${message}: ${details}` : message)
+}

data/package/utils/validateDependencies.ts

@@ -0,0 +1,61 @@
+/**
+ * Validates that required dependencies are installed for the selected bundler
+ */
+
+const { moduleExists } = require("./helpers")
+const { error } = require("./debug")
+
+const validateRspackDependencies = (): void => {
+  const requiredDependencies = ["@rspack/core", "rspack-manifest-plugin"]
+
+  const missingDependencies = requiredDependencies.filter(
+    (dep) => !moduleExists(dep)
+  )
+
+  if (missingDependencies.length > 0) {
+    error(
+      `Missing required dependencies for RSpack:\n${missingDependencies
+        .map((dep) => `  - ${dep}`)
+        .join(
+          "\n"
+        )}\n\nPlease install them with:\n  npm install ${missingDependencies.join(
+        " "
+      )}`
+    )
+    throw new Error(
+      `Missing RSpack dependencies: ${missingDependencies.join(", ")}`
+    )
+  }
+}
+
+const validateWebpackDependencies = (): void => {
+  const requiredDependencies = [
+    "webpack",
+    "webpack-cli",
+    "webpack-assets-manifest"
+  ]
+
+  const missingDependencies = requiredDependencies.filter(
+    (dep) => !moduleExists(dep)
+  )
+
+  if (missingDependencies.length > 0) {
+    error(
+      `Missing required dependencies for Webpack:\n${missingDependencies
+        .map((dep) => `  - ${dep}`)
+        .join(
+          "\n"
+        )}\n\nPlease install them with:\n  npm install ${missingDependencies.join(
+        " "
+      )}`
+    )
+    throw new Error(
+      `Missing Webpack dependencies: ${missingDependencies.join(", ")}`
+    )
+  }
+}
+
+export = {
+  validateRspackDependencies,
+  validateWebpackDependencies
+}