shakapacker 9.0.0.beta.6 → 9.0.0.beta.8

data/package/utils/errorHelpers.ts

@@ -2,6 +2,8 @@
  * Error handling utilities for consistent error management
  */
 
+import { ErrorCode, ShakapackerError } from './errorCodes'
+
 /**
  * Checks if an error is a file not found error (ENOENT)
  */
@@ -33,10 +35,31 @@ export function createFileOperationError(
   operation: 'read' | 'write' | 'delete',
   filePath: string,
   details?: string
+): ShakapackerError {
+  const errorCode = operation === 'read'
+    ? ErrorCode.FILE_READ_ERROR
+    : operation === 'write'
+    ? ErrorCode.FILE_WRITE_ERROR
+    : ErrorCode.FILE_NOT_FOUND
+
+  return new ShakapackerError(errorCode, {
+    path: filePath,
+    operation,
+    details
+  })
+}
+
+/**
+ * Creates a consistent error message for file operations (backward compatibility)
+ */
+export function createFileOperationErrorLegacy(
+  operation: 'read' | 'write' | 'delete',
+  filePath: string,
+  details?: string
 ): Error {
   const baseMessage = `Failed to ${operation} file at path '${filePath}'`
   const errorDetails = details ? ` - ${details}` : ''
-  const suggestion = operation === 'read' 
+  const suggestion = operation === 'read'
     ? ' (check if file exists and permissions are correct)'
     : operation === 'write'
     ? ' (check write permissions and disk space)'
@@ -70,8 +93,51 @@ export function isNodeError(error: unknown): error is NodeJS.ErrnoException {
   return (
     error instanceof Error &&
     'code' in error &&
-    typeof (error as any).code === 'string'
+    typeof (error as NodeJS.ErrnoException).code === 'string'
   )
 }
 
+/**
+ * Creates a configuration validation error
+ */
+export function createConfigValidationErrorWithCode(
+  configPath: string,
+  environment: string,
+  reason: string
+): ShakapackerError {
+  return new ShakapackerError(ErrorCode.CONFIG_VALIDATION_FAILED, {
+    path: configPath,
+    environment,
+    reason
+  })
+}
+
+/**
+ * Creates a module not found error
+ */
+export function createModuleNotFoundError(moduleName: string, details?: string): ShakapackerError {
+  return new ShakapackerError(ErrorCode.MODULE_NOT_FOUND, {
+    module: moduleName,
+    details
+  })
+}
+
+/**
+ * Creates a path traversal security error
+ */
+export function createPathTraversalError(path: string): ShakapackerError {
+  return new ShakapackerError(ErrorCode.SECURITY_PATH_TRAVERSAL, {
+    path
+  })
+}
+
+/**
+ * Creates a port validation error
+ */
+export function createPortValidationError(port: unknown): ShakapackerError {
+  return new ShakapackerError(ErrorCode.DEVSERVER_PORT_INVALID, {
+    port: String(port)
+  })
+}
+
 

data/package/utils/pathValidation.ts

@@ -0,0 +1,139 @@
+import * as path from "path"
+import * as fs from "fs"
+
+/**
+ * Security utilities for validating and sanitizing file paths
+ */
+
+/**
+ * Validates a path doesn't contain traversal patterns
+ */
+export function isPathTraversalSafe(inputPath: string): boolean {
+  // Check for common traversal patterns
+  // Null byte short-circuit (avoid regex with control chars)
+  if (inputPath.includes("\0")) return false
+  
+  const dangerousPatterns = [
+    /\.\.[\/\\]/,            // ../ or ..\
+    /^\//,                   // POSIX absolute
+    /^[A-Za-z]:[\/\\]/,      // Windows absolute (C:\ or C:/)
+    /^\\\\/,                 // Windows UNC (\\server\share)
+    /~[\/\\]/,               // Home directory expansion
+    /%2e%2e/i,               // URL encoded traversal
+  ]
+
+  return !dangerousPatterns.some(pattern => pattern.test(inputPath))
+}
+
+/**
+ * Resolves and validates a path within a base directory
+ * Prevents directory traversal attacks by ensuring the resolved path
+ * stays within the base directory
+ */
+export function safeResolvePath(basePath: string, userPath: string): string {
+  // Normalize the base path
+  const normalizedBase = path.resolve(basePath)
+  
+  // Resolve the user path relative to base
+  const resolved = path.resolve(normalizedBase, userPath)
+  
+  // Ensure the resolved path is within the base directory
+  if (!resolved.startsWith(normalizedBase + path.sep) && resolved !== normalizedBase) {
+    throw new Error(
+      `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
+      `Requested path would resolve outside of allowed directory.\n` +
+      `Base: ${normalizedBase}\n` +
+      `Attempted: ${userPath}\n` +
+      `Resolved to: ${resolved}`
+    )
+  }
+  
+  return resolved
+}
+
+/**
+ * Validates that a path exists and is accessible
+ */
+export function validatePathExists(filePath: string): boolean {
+  try {
+    fs.accessSync(filePath, fs.constants.R_OK)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Validates an array of paths for security issues
+ */
+export function validatePaths(paths: string[], basePath: string): string[] {
+  const validatedPaths: string[] = []
+  
+  for (const userPath of paths) {
+    if (!isPathTraversalSafe(userPath)) {
+      console.warn(
+        `[SHAKAPACKER WARNING] Skipping potentially unsafe path: ${userPath}`
+      )
+      continue
+    }
+    
+    try {
+      const safePath = safeResolvePath(basePath, userPath)
+      validatedPaths.push(safePath)
+    } catch (error) {
+      console.warn(
+        `[SHAKAPACKER WARNING] Invalid path configuration: ${userPath}\n` +
+        `Error: ${error instanceof Error ? error.message : String(error)}`
+      )
+    }
+  }
+  
+  return validatedPaths
+}
+
+/**
+ * Sanitizes environment variable values to prevent injection
+ */
+export function sanitizeEnvValue(value: string | undefined): string | undefined {
+  if (!value) return value
+  
+  // Remove control characters and null bytes
+  // Filter by character code to avoid control character regex (Biome compliance)
+  const sanitized = value.split('').filter(char => {
+    const code = char.charCodeAt(0)
+    // Keep chars with code > 31 (after control chars) and not 127 (DEL)
+    return code > 31 && code !== 127
+  }).join('')
+  
+  // Warn if sanitization changed the value
+  if (sanitized !== value) {
+    console.warn(
+      `[SHAKAPACKER SECURITY] Environment variable value contained control characters that were removed`
+    )
+  }
+  
+  return sanitized
+}
+
+/**
+ * Validates a port number or string
+ */
+export function validatePort(port: unknown): boolean {
+  if (port === 'auto') return true
+  
+  if (typeof port === 'number') {
+    return port > 0 && port <= 65535 && Number.isInteger(port)
+  }
+  
+  if (typeof port === 'string') {
+    // First check if the string contains only digits
+    if (!/^\d+$/.test(port)) {
+      return false
+    }
+    // Only then parse and validate range
+    const num = parseInt(port, 10)
+    return num > 0 && num <= 65535
+  }
+  
+  return false
+}

data/package/utils/typeGuards.ts

@@ -1,43 +1,111 @@
 import { Config, DevServerConfig, YamlConfig } from "../types"
+import { isPathTraversalSafe, validatePort } from "./pathValidation"
 
-// Cache for validated configs in production
-const validatedConfigs = new WeakMap<object, boolean>()
+// Cache for validated configs with TTL
+interface CacheEntry {
+  result: boolean
+  timestamp: number
+  configHash?: string
+}
+
+let validatedConfigs = new WeakMap<object, CacheEntry>()
+
+// Cache computed values to avoid repeated checks
+let cachedIsWatchMode: boolean | null = null
+let cachedCacheTTL: number | null = null
+
+/**
+ * Detect if running in watch mode (cached)
+ */
+function isWatchMode(): boolean {
+  if (cachedIsWatchMode === null) {
+    cachedIsWatchMode = process.argv.includes('--watch') || process.env.WEBPACK_WATCH === 'true'
+  }
+  return cachedIsWatchMode
+}
+
+/**
+ * Get cache TTL based on environment (cached)
+ */
+function getCacheTTL(): number {
+  if (cachedCacheTTL === null) {
+    if (process.env.SHAKAPACKER_CACHE_TTL) {
+      cachedCacheTTL = parseInt(process.env.SHAKAPACKER_CACHE_TTL, 10)
+    } else if (process.env.NODE_ENV === 'production' && !isWatchMode()) {
+      cachedCacheTTL = Infinity
+    } else if (isWatchMode()) {
+      cachedCacheTTL = 5000  // 5 seconds in watch mode
+    } else {
+      cachedCacheTTL = 60000 // 1 minute in dev
+    }
+  }
+  return cachedCacheTTL
+}
 
 // Only validate in development or when explicitly enabled
-const shouldValidate = process.env.NODE_ENV !== 'production' || process.env.SHAKAPACKER_STRICT_VALIDATION === 'true'
+function shouldValidate(): boolean {
+  return process.env.NODE_ENV !== 'production' || process.env.SHAKAPACKER_STRICT_VALIDATION === 'true'
+}
+
+// Debug logging for cache operations
+const debugCache = process.env.SHAKAPACKER_DEBUG_CACHE === 'true'
+
+/**
+ * Clear the validation cache
+ * Useful for testing or when config files change
+ */
+export function clearValidationCache(): void {
+  // Reassign to a new WeakMap to clear all entries
+  validatedConfigs = new WeakMap<object, CacheEntry>()
+  if (debugCache) {
+    console.log('[SHAKAPACKER DEBUG] Validation cache cleared')
+  }
+}
 
 /**
  * Type guard to validate Config object at runtime
  * In production, caches results for performance unless SHAKAPACKER_STRICT_VALIDATION is set
+ *
+ * IMPORTANT: Path traversal security checks ALWAYS run regardless of environment or validation mode.
+ * This ensures application security is never compromised for performance.
  */
 export function isValidConfig(obj: unknown): obj is Config {
   if (typeof obj !== 'object' || obj === null) {
     return false
   }
 
-  // Quick return for production with cached results
-  if (!shouldValidate && validatedConfigs.has(obj as object)) {
-    return validatedConfigs.get(obj as object) as boolean
+  // Check cache with TTL
+  const cached = validatedConfigs.get(obj as object)
+  if (cached && (Date.now() - cached.timestamp) < getCacheTTL()) {
+    if (debugCache) {
+      console.log(`[SHAKAPACKER DEBUG] Config validation cache hit (result: ${cached.result})`)
+    }
+    return cached.result
   }
 
   const config = obj as Record<string, unknown>
-  
+
   // Check required string fields
   const requiredStringFields = [
     'source_path',
-    'source_entry_path', 
+    'source_entry_path',
     'public_root_path',
     'public_output_path',
     'cache_path',
     'javascript_transpiler'
   ]
-  
+
   for (const field of requiredStringFields) {
     if (typeof config[field] !== 'string') {
-      // Cache negative result in production
-      if (!shouldValidate) {
-        validatedConfigs.set(obj as object, false)
-      }
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
+    }
+    // SECURITY: Path traversal validation ALWAYS runs (not subject to shouldValidate)
+    // This ensures paths are safe regardless of environment or validation mode
+    if (field.includes('path') && !isPathTraversalSafe(config[field] as string)) {
+      console.warn(`[SHAKAPACKER SECURITY] Invalid path in ${field}: ${config[field]}`)
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
       return false
     }
   }
@@ -56,52 +124,58 @@ export function isValidConfig(obj: unknown): obj is Config {
   
   for (const field of requiredBooleanFields) {
     if (typeof config[field] !== 'boolean') {
-      // Cache negative result in production
-      if (!shouldValidate) {
-        validatedConfigs.set(obj as object, false)
-      }
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
       return false
     }
   }
   
   // Check arrays
   if (!Array.isArray(config.additional_paths)) {
-    // Cache negative result in production
-    if (!shouldValidate) {
-      validatedConfigs.set(obj as object, false)
-    }
+    // Cache negative result
+    validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
     return false
   }
-  
-  // Check optional fields
-  if (config.dev_server !== undefined && !isValidDevServerConfig(config.dev_server)) {
-    // Cache negative result in production
-    if (!shouldValidate) {
-      validatedConfigs.set(obj as object, false)
+
+  // SECURITY: Path traversal validation for additional_paths ALWAYS runs (not subject to shouldValidate)
+  // This critical security check ensures user-provided paths cannot escape the project directory
+  for (const additionalPath of config.additional_paths as string[]) {
+    if (!isPathTraversalSafe(additionalPath)) {
+      console.warn(`[SHAKAPACKER SECURITY] Invalid additional_path: ${additionalPath}`)
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
+      return false
     }
+  }
+
+  // In production, skip deep validation of optional fields unless explicitly enabled
+  // Security checks above still run regardless of this flag
+  if (!shouldValidate()) {
+    // Cache positive result - basic structure and security validated
+    validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
+    return true
+  }
+
+  // Deep validation of optional fields (only in development or with SHAKAPACKER_STRICT_VALIDATION=true)
+  if (config.dev_server !== undefined && !isValidDevServerConfig(config.dev_server)) {
+    // Cache negative result
+    validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
     return false
   }
-  
+
   if (config.integrity !== undefined) {
     const integrity = config.integrity as Record<string, unknown>
-    if (typeof integrity.enabled !== 'boolean' || 
+    if (typeof integrity.enabled !== 'boolean' ||
         typeof integrity.cross_origin !== 'string') {
-      // Cache negative result in production
-      if (!shouldValidate) {
-        validatedConfigs.set(obj as object, false)
-      }
+      // Cache negative result
+      validatedConfigs.set(obj as object, { result: false, timestamp: Date.now() })
       return false
     }
   }
   
-  const result = true
-  
-  // Cache result in production
-  if (!shouldValidate) {
-    validatedConfigs.set(obj as object, result)
-  }
+  // Cache positive result
+  validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
   
-  return result
+  return true
 }
 
 /**
@@ -114,7 +188,7 @@ export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
   }
   
   // In production, skip deep validation unless explicitly enabled
-  if (!shouldValidate) {
+  if (!shouldValidate()) {
     return true
   }
   
@@ -127,16 +201,56 @@ export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
     return false
   }
   
-  if (config.port !== undefined && 
-      typeof config.port !== 'number' && 
-      typeof config.port !== 'string' &&
-      config.port !== 'auto') {
+  if (config.port !== undefined && !validatePort(config.port)) {
     return false
   }
   
   return true
 }
 
+/**
+ * Type guard to validate Rspack plugin instance
+ * Checks if an object looks like a valid Rspack plugin
+ */
+export function isValidRspackPlugin(obj: unknown): boolean {
+  if (typeof obj !== 'object' || obj === null) {
+    return false
+  }
+
+  const plugin = obj as Record<string, unknown>
+
+  // Check for common plugin patterns
+  // Most rspack plugins should have an apply method
+  if (typeof plugin.apply === 'function') {
+    return true
+  }
+
+  // Check for constructor name pattern (e.g., HtmlRspackPlugin)
+  const constructorName = plugin.constructor?.name || ''
+  if (constructorName.includes('Plugin') || constructorName.includes('Rspack')) {
+    return true
+  }
+
+  // Check for common plugin properties
+  if ('name' in plugin && typeof plugin.name === 'string') {
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Type guard to validate array of Rspack plugins
+ * Ensures all items in the array are valid plugin instances
+ */
+export function isValidRspackPluginArray(arr: unknown): boolean {
+  if (!Array.isArray(arr)) {
+    return false
+  }
+
+  return arr.every(item => isValidRspackPlugin(item))
+}
+
 /**
  * Type guard to validate YamlConfig structure
  * In production, performs minimal validation for performance
@@ -147,7 +261,7 @@ export function isValidYamlConfig(obj: unknown): obj is YamlConfig {
   }
   
   // In production, skip deep validation unless explicitly enabled
-  if (!shouldValidate) {
+  if (!shouldValidate()) {
     return true
   }
   
@@ -174,7 +288,7 @@ export function isPartialConfig(obj: unknown): obj is Partial<Config> {
   }
   
   // In production, skip deep validation unless explicitly enabled
-  if (!shouldValidate) {
+  if (!shouldValidate()) {
     return true
   }
   

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shakapacker",
-  "version": "9.0.0-beta.6",
+  "version": "9.0.0-beta.8",
   "description": "Use webpack to manage app-like JavaScript modules in Rails",
   "homepage": "https://github.com/shakacode/shakapacker",
   "bugs": {
@@ -16,6 +16,7 @@
   "types": "package/index.d.ts",
   "exports": {
     ".": "./package/index.js",
+    "./types": "./package/types/index.js",
     "./webpack": "./package/webpack/index.js",
     "./rspack": "./package/rspack/index.js",
     "./swc": "./package/swc/index.js",
@@ -30,11 +31,13 @@
   ],
   "scripts": {
     "clean:ts": "find package -name '*.ts' -not -name '*.d.ts' | sed 's/\\.ts$//' | xargs -I {} rm -f {}.js {}.d.ts {}.d.ts.map {}.js.map",
-    "build": "tsc",
+    "build": "tsc && node scripts/remove-use-strict.js && yarn prettier --write 'package/**/*.js'",
     "build:types": "tsc",
     "lint": "eslint .",
+    "lint:fast": "eslint . --ext .js,.jsx,.ts,.tsx --config .eslintrc.fast.js",
     "test": "jest",
-    "type-check": "tsc --noEmit"
+    "type-check": "tsc --noEmit",
+    "prepublishOnly": "yarn build && yarn type-check"
   },
   "dependencies": {
     "js-yaml": "^4.1.0",
@@ -44,12 +47,15 @@
   "devDependencies": {
     "@rspack/cli": "^1.4.11",
     "@rspack/core": "^1.4.11",
+    "@types/babel__core": "^7.20.5",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^24.5.2",
     "@types/path-complete-extname": "^1.0.3",
     "@types/webpack": "^5.28.5",
     "@types/webpack-dev-server": "^4.7.2",
     "@types/webpack-merge": "^5.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.45.0",
+    "@typescript-eslint/parser": "^8.45.0",
     "babel-loader": "^8.2.4",
     "compression-webpack-plugin": "^9.0.0",
     "css-loader": "^7.1.2",
@@ -63,7 +69,9 @@
     "eslint-plugin-prettier": "^5.2.6",
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^4.6.0",
+    "husky": "^9.1.7",
     "jest": "^29.7.0",
+    "lint-staged": "^15.2.10",
     "memory-fs": "^0.5.0",
     "mini-css-extract-plugin": "^2.9.4",
     "prettier": "^3.2.5",
@@ -81,8 +89,8 @@
     "@babel/plugin-transform-runtime": "^7.17.0",
     "@babel/preset-env": "^7.16.11",
     "@babel/runtime": "^7.17.9",
-    "@rspack/core": "^1.0.0",
     "@rspack/cli": "^1.0.0",
+    "@rspack/core": "^1.0.0",
     "@rspack/plugin-react-refresh": "^1.0.0",
     "@types/babel__core": "^7.0.0",
     "@types/webpack": "^5.0.0",
@@ -181,6 +189,20 @@
     }
   },
   "packageManager": "yarn@1.22.22",
+  "lint-staged": {
+    "*.{js,jsx}": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "*.{ts,tsx}": [
+      "eslint --fix",
+      "prettier --write",
+      "node scripts/type-check-no-emit.js"
+    ],
+    "*.{json,yml,yaml,md}": [
+      "prettier --write"
+    ]
+  },
   "engines": {
     "node": ">= 14",
     "yarn": ">=1 <5"

data/scripts/remove-use-strict.js

@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+const fs = require("fs")
+const path = require("path")
+
+// Recursively find all .js files in a directory
+function findJsFiles(dir) {
+  const files = []
+  const items = fs.readdirSync(dir, { withFileTypes: true })
+
+  items.forEach((item) => {
+    const fullPath = path.join(dir, item.name)
+    if (item.isDirectory()) {
+      files.push(...findJsFiles(fullPath))
+    } else if (item.isFile() && item.name.endsWith(".js")) {
+      files.push(fullPath)
+    }
+  })
+
+  return files
+}
+
+// Find all .js files in package directory
+const files = findJsFiles("package")
+
+files.forEach((file) => {
+  let content = fs.readFileSync(file, "utf8")
+
+  // Remove "use strict" directive with various quote styles and formatting
+  // Handles: optional whitespace, single/double/unicode quotes, optional semicolon,
+  // and any trailing whitespace/newline sequences
+  content = content.replace(
+    /^\s*["'\u2018\u2019\u201C\u201D]use\s+strict["'\u2018\u2019\u201C\u201D]\s*;?\s*[\r\n]*/,
+    ""
+  )
+
+  // Ensure file ends with exactly one newline
+  if (!content.endsWith("\n")) {
+    content += "\n"
+  }
+
+  fs.writeFileSync(file, content, "utf8")
+})
+
+// eslint-disable-next-line no-console
+console.log(`Removed "use strict" from ${files.length} files`)

data/scripts/type-check-no-emit.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+
+/**
+ * Type-check script for lint-staged
+ *
+ * This script runs TypeScript type checking without emitting files.
+ * It ignores any arguments passed by lint-staged to ensure tsc uses
+ * the project's tsconfig.json rather than trying to compile individual files.
+ *
+ * Without this wrapper, lint-staged would pass staged file paths as arguments
+ * to tsc, causing it to ignore tsconfig.json and fail type checking.
+ */
+
+const { execSync } = require("child_process")
+
+try {
+  // Run tsc with no arguments (ignoring any passed by lint-staged)
+  // This ensures it uses tsconfig.json properly
+  execSync("npx tsc --noEmit", {
+    stdio: "inherit",
+    cwd: process.cwd()
+  })
+  process.exit(0)
+} catch (error) {
+  // Type checking failed
+  process.exit(1)
+}