Security: Potential command injection in switch-bundler custom dependencies

[justin808]

Issue

The switch-bundler script interpolates dependency arrays directly into shell commands, which could allow command injection if a malicious custom config file is used.

Affected code (demos/basic-v16-rspack/bin/switch-bundler):

system("npm install --save-dev #{deps_to_install[:dev].join(' ')}")
system("npm install --save #{deps_to_install[:prod].join(' ')}")
system("npm uninstall #{deps_to_remove[:dev].join(' ')}")

Risk Assessment

Medium Priority because:

• User controls the custom config file (.shakapacker-switch-bundler-dependencies.yml)
• Attack requires user to create/edit config with malicious package names
• Not exploitable via external input

However, defense-in-depth suggests we should validate package names.

Potential Attack Vector

Malicious config file:

rspack:
  devDependencies:
    - "foo; rm -rf ~"

This would execute: npm install --save-dev foo; rm -rf ~

Recommended Solutions

1. Use array form of system() (preferred):

   system("npm", "install", "--save-dev", *deps_to_install[:dev])

2. Validate package names with regex:

   VALID_PACKAGE_NAME = /\A[@a-z0-9][a-z0-9._\/-]*\z/i
   
   def validate_package_names(packages)
     invalid = packages.reject { |pkg| pkg.match?(VALID_PACKAGE_NAME) }
     unless invalid.empty?
       puts "❌ Invalid package names: #{invalid.join(', ')}"
       exit 1
     end
   end

3. Shell escaping:

   require 'shellwords'
   system("npm install --save-dev #{Shellwords.shelljoin(deps_to_install[:dev])}")

Decision

This is a valid security concern but not urgent since:

• User must explicitly create/modify the config file
• No external input vector
• npm itself may reject invalid package names

Recommend implementing solution #1 (array form of system) as it's the cleanest and most idiomatic Ruby approach.