shakapacker 9.3.0.beta.7 → 9.3.0

data/package/rules/file.ts

@@ -1,4 +1,5 @@
 import { dirname, sep, normalize } from "path"
+
 const {
   additional_paths: additionalPaths,
   source_path: sourcePath

data/package/rules/jscommon.ts

@@ -1,5 +1,6 @@
 import { resolve } from "path"
 import { realpathSync } from "fs"
+
 const {
   source_path: sourcePath,
   additional_paths: additionalPaths

data/package/utils/helpers.ts

@@ -59,7 +59,6 @@ const loaderMatches = <T = unknown>(
 
 const packageFullVersion = (packageName: string): string => {
   try {
-    // eslint-disable-next-line import/no-dynamic-require
     const packageJsonPath = require.resolve(`${packageName}/package.json`)
     // eslint-disable-next-line import/no-dynamic-require, global-require
     const packageJson = require(packageJsonPath) as { version: string }

data/package/utils/pathValidation.ts

@@ -28,26 +28,87 @@ export function isPathTraversalSafe(inputPath: string): boolean {
 /**
  * Resolves and validates a path within a base directory
  * Prevents directory traversal attacks by ensuring the resolved path
- * stays within the base directory
+ * stays within the base directory.
+ * Also resolves symlinks to prevent symlink-based path traversal attacks.
+ *
+ * @param basePath - The base directory to validate against
+ * @param userPath - The user-provided path to validate
+ * @param resolveSymlinks - Whether to resolve symlinks (default: true for security)
+ * @returns The validated absolute path
+ * @throws Error if path is outside base directory
  */
-export function safeResolvePath(basePath: string, userPath: string): string {
-  // Normalize the base path
-  const normalizedBase = path.resolve(basePath)
+export function safeResolvePath(
+  basePath: string,
+  userPath: string,
+  resolveSymlinks = true
+): string {
+  // Resolve the base path through symlinks if enabled
+  let normalizedBase: string
+  try {
+    normalizedBase = resolveSymlinks
+      ? fs.realpathSync(basePath)
+      : path.resolve(basePath)
+  } catch (error: unknown) {
+    // If basePath doesn't exist (ENOENT), fall back to path.resolve
+    // Rethrow other errors (e.g., permission issues) as they indicate real problems
+    const nodeError = error as NodeJS.ErrnoException
+    if (nodeError?.code === "ENOENT") {
+      normalizedBase = path.resolve(basePath)
+    } else {
+      throw error
+    }
+  }
+
+  // For paths that may not exist yet, validate the parent directory
+  const absolutePath = path.resolve(basePath, userPath)
+  const parentDir = path.dirname(absolutePath)
+  const fileName = path.basename(absolutePath)
+
+  // Resolve parent directory through symlinks if it exists and symlink resolution is enabled
+  let resolvedParent: string
+  try {
+    resolvedParent = resolveSymlinks
+      ? fs.realpathSync(parentDir)
+      : path.resolve(parentDir)
+  } catch (error: unknown) {
+    // If parent doesn't exist (ENOENT), validate the absolute path as-is
+    // Rethrow other errors (e.g., permission issues) as they indicate real problems
+    const nodeError = error as NodeJS.ErrnoException
+    if (nodeError?.code === "ENOENT") {
+      if (
+        !absolutePath.startsWith(normalizedBase + path.sep) &&
+        absolutePath !== normalizedBase
+      ) {
+        throw new Error(
+          `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
+            `Requested path would resolve outside of allowed directory.\n` +
+            `Base: ${normalizedBase}\n` +
+            `Attempted: ${userPath}\n` +
+            `Resolved to: ${absolutePath}`
+        )
+      }
+      return absolutePath
+    }
+    throw error
+  }
 
-  // Resolve the user path relative to base
-  const resolved = path.resolve(normalizedBase, userPath)
+  // Reconstruct the full path with the resolved (symlink-free) parent
+  const resolved = path.resolve(resolvedParent, fileName)
 
   // Ensure the resolved path is within the base directory
   if (
     !resolved.startsWith(normalizedBase + path.sep) &&
     resolved !== normalizedBase
   ) {
+    const symlinkNote = resolveSymlinks
+      ? ` (symlink-resolved from ${userPath})`
+      : ""
     throw new Error(
       `[SHAKAPACKER SECURITY] Path traversal attempt detected.\n` +
         `Requested path would resolve outside of allowed directory.\n` +
         `Base: ${normalizedBase}\n` +
         `Attempted: ${userPath}\n` +
-        `Resolved to: ${resolved}`
+        `Resolved to: ${resolved}${symlinkNote}`
     )
   }
 

data/package/utils/requireOrError.ts

@@ -2,13 +2,21 @@
 /* eslint import/no-dynamic-require: 0 */
 const config = require("../config")
 
+interface ErrorWithCause extends Error {
+  cause?: unknown
+}
+
 const requireOrError = (moduleName: string): any => {
   try {
     return require(moduleName)
-  } catch (error) {
-    throw new Error(
+  } catch (originalError: unknown) {
+    const error: ErrorWithCause = new Error(
       `[SHAKAPACKER]: ${moduleName} is required for ${config.assets_bundler} but is not installed. View Shakapacker's documented dependencies at https://github.com/shakacode/shakapacker/tree/main/docs/peer-dependencies.md`
     )
+    // Add the original error as the cause for better debugging (ES2022+)
+    // Using custom interface since target is ES2020 but runtime supports it
+    error.cause = originalError
+    throw error
   }
 }
 

data/package/utils/typeGuards.ts

@@ -66,6 +66,38 @@ export function clearValidationCache(): void {
   }
 }
 
+/**
+ * Type guard to validate DevServerConfig object at runtime
+ * In production, performs minimal validation for performance
+ */
+export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
+  if (typeof obj !== "object" || obj === null) {
+    return false
+  }
+
+  // In production, skip deep validation unless explicitly enabled
+  if (!shouldValidate()) {
+    return true
+  }
+
+  const config = obj as Record<string, unknown>
+
+  // All fields are optional, just check types if present
+  if (
+    config.hmr !== undefined &&
+    typeof config.hmr !== "boolean" &&
+    config.hmr !== "only"
+  ) {
+    return false
+  }
+
+  if (config.port !== undefined && !validatePort(config.port)) {
+    return false
+  }
+
+  return true
+}
+
 /**
  * Type guard to validate Config object at runtime
  * In production, caches results for performance unless SHAKAPACKER_STRICT_VALIDATION is set
@@ -79,7 +111,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   }
 
   // Check cache with TTL
-  const cached = validatedConfigs.get(obj as object)
+  const cached = validatedConfigs.get(obj)
   if (cached && Date.now() - cached.timestamp < getCacheTTL()) {
     if (debugCache) {
       console.log(
@@ -104,7 +136,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   for (const field of requiredStringFields) {
     if (typeof config[field] !== "string") {
       // Cache negative result
-      validatedConfigs.set(obj as object, {
+      validatedConfigs.set(obj, {
         result: false,
         timestamp: Date.now()
       })
@@ -112,14 +144,11 @@ export function isValidConfig(obj: unknown): obj is Config {
     }
     // SECURITY: Path traversal validation ALWAYS runs (not subject to shouldValidate)
     // This ensures paths are safe regardless of environment or validation mode
-    if (
-      field.includes("path") &&
-      !isPathTraversalSafe(config[field] as string)
-    ) {
+    if (field.includes("path") && !isPathTraversalSafe(config[field])) {
       console.warn(
         `[SHAKAPACKER SECURITY] Invalid path in ${field}: ${config[field]}`
       )
-      validatedConfigs.set(obj as object, {
+      validatedConfigs.set(obj, {
         result: false,
         timestamp: Date.now()
       })
@@ -142,7 +171,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   for (const field of requiredBooleanFields) {
     if (typeof config[field] !== "boolean") {
       // Cache negative result
-      validatedConfigs.set(obj as object, {
+      validatedConfigs.set(obj, {
         result: false,
         timestamp: Date.now()
       })
@@ -153,7 +182,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   // Check arrays
   if (!Array.isArray(config.additional_paths)) {
     // Cache negative result
-    validatedConfigs.set(obj as object, {
+    validatedConfigs.set(obj, {
       result: false,
       timestamp: Date.now()
     })
@@ -167,7 +196,7 @@ export function isValidConfig(obj: unknown): obj is Config {
       console.warn(
         `[SHAKAPACKER SECURITY] Invalid additional_path: ${additionalPath}`
       )
-      validatedConfigs.set(obj as object, {
+      validatedConfigs.set(obj, {
         result: false,
         timestamp: Date.now()
       })
@@ -179,7 +208,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   // Security checks above still run regardless of this flag
   if (!shouldValidate()) {
     // Cache positive result - basic structure and security validated
-    validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
+    validatedConfigs.set(obj, { result: true, timestamp: Date.now() })
     return true
   }
 
@@ -189,7 +218,7 @@ export function isValidConfig(obj: unknown): obj is Config {
     !isValidDevServerConfig(config.dev_server)
   ) {
     // Cache negative result
-    validatedConfigs.set(obj as object, {
+    validatedConfigs.set(obj, {
       result: false,
       timestamp: Date.now()
     })
@@ -203,7 +232,7 @@ export function isValidConfig(obj: unknown): obj is Config {
       typeof integrity.cross_origin !== "string"
     ) {
       // Cache negative result
-      validatedConfigs.set(obj as object, {
+      validatedConfigs.set(obj, {
         result: false,
         timestamp: Date.now()
       })
@@ -212,39 +241,7 @@ export function isValidConfig(obj: unknown): obj is Config {
   }
 
   // Cache positive result
-  validatedConfigs.set(obj as object, { result: true, timestamp: Date.now() })
-
-  return true
-}
-
-/**
- * Type guard to validate DevServerConfig object at runtime
- * In production, performs minimal validation for performance
- */
-export function isValidDevServerConfig(obj: unknown): obj is DevServerConfig {
-  if (typeof obj !== "object" || obj === null) {
-    return false
-  }
-
-  // In production, skip deep validation unless explicitly enabled
-  if (!shouldValidate()) {
-    return true
-  }
-
-  const config = obj as Record<string, unknown>
-
-  // All fields are optional, just check types if present
-  if (
-    config.hmr !== undefined &&
-    typeof config.hmr !== "boolean" &&
-    config.hmr !== "only"
-  ) {
-    return false
-  }
-
-  if (config.port !== undefined && !validatePort(config.port)) {
-    return false
-  }
+  validatedConfigs.set(obj, { result: true, timestamp: Date.now() })
 
   return true
 }

data/package/webpack-types.d.ts

@@ -1,4 +1,4 @@
-// @ts-ignore: webpack is an optional peer dependency (using type-only import)
+// @ts-expect-error: webpack is an optional peer dependency (using type-only import)
 import type { Configuration, RuleSetRule, RuleSetUseItem } from "webpack"
 
 export interface ShakapackerWebpackConfig extends Configuration {
@@ -13,7 +13,7 @@ export interface ShakapackerRule extends RuleSetRule {
 }
 
 export interface ShakapackerLoaderOptions {
-  [key: string]: any
+  [key: string]: unknown
 }
 
 export interface ShakapackerLoader {

data/package/webpackDevServerConfig.ts

@@ -1,4 +1,5 @@
 import { DevServerConfig } from "./types"
+
 const snakeToCamelCase = require("./utils/snakeToCamelCase")
 
 const shakapackerDevServerYamlConfig =

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shakapacker",
-  "version": "9.3.0-beta.7",
+  "version": "9.3.0",
   "description": "Use webpack to manage app-like JavaScript modules in Rails",
   "homepage": "https://github.com/shakacode/shakapacker",
   "bugs": {
@@ -74,7 +74,6 @@
     "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-jest": "^29.0.1",
     "eslint-plugin-jsx-a11y": "^6.10.2",
-    "eslint-plugin-prettier": "^5.5.4",
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.0.0",
     "husky": "^9.1.7",
@@ -109,7 +108,7 @@
     "babel-loader": "^8.2.4 || ^9.0.0 || ^10.0.0",
     "compression-webpack-plugin": "^9.0.0 || ^10.0.0 || ^11.0.0",
     "css-loader": "^6.8.1 || ^7.0.0",
-    "esbuild": "^0.14.0 || ^0.15.0 || ^0.16.0 || ^0.17.0 || ^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0",
+    "esbuild": "^0.14.0 || ^0.15.0 || ^0.16.0 || ^0.17.0 || ^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0 || ^0.25.0",
     "esbuild-loader": "^2.0.0 || ^3.0.0 || ^4.0.0",
     "mini-css-extract-plugin": "^2.0.0",
     "rspack-manifest-plugin": "^5.0.0",