Fix security and stability issues from PR review

justin808 · claude · justin808 · commit 1db6101a4a54 · 2025-09-29T15:11:46.000-10:00
- Add require 'fileutils' to server.rb - Refactor shell command execution to prevent injection attacks - Use argument arrays instead of string interpolation - Pass commands as arrays to spawn() and system() - Improve database state reset safety - Move after_state_reset hook to run after cleanup - Add support for disable_referential_integrity when available - Use proper table name quoting with quote_table_name - Use File.expand_path for folder detection These changes address security concerns about command injection and improve compatibility across different Rails environments. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/cypress_on_rails/server.rb b/lib/cypress_on_rails/server.rb
@@ -1,5 +1,6 @@
 require 'socket'
 require 'timeout'
+require 'fileutils'
 require 'cypress_on_rails/configuration'
 
 module CypressOnRails
@@ -25,7 +26,7 @@ def open
 
     def run
       start_server do
-        result = run_command(run_command_str, "Running #{framework} tests")
+        result = run_command(run_command_args, "Running #{framework} tests")
         exit(result ? 0 : 1)
       end
     end
@@ -40,7 +41,7 @@ def init
     def detect_install_folder
       # Check common locations for cypress/playwright installation
       possible_folders = ['e2e', 'spec/e2e', 'spec/cypress', 'spec/playwright', 'cypress', 'playwright']
-      folder = possible_folders.find { |f| File.exist?(f) }
+      folder = possible_folders.find { |f| File.exist?(File.expand_path(f)) }
       folder || 'e2e'
     end
 
@@ -94,17 +95,17 @@ def start_server(&block)
     end
 
     def spawn_server
-      rails_command = if File.exist?('bin/rails')
-        'bin/rails'
+      rails_args = if File.exist?('bin/rails')
+        ['bin/rails']
       else
-        'bundle exec rails'
+        ['bundle', 'exec', 'rails']
       end
 
-      server_command = "#{rails_command} server -p #{port} -b #{host}"
+      server_args = rails_args + ['server', '-p', port.to_s, '-b', host]
       
-      puts "Starting Rails server: #{server_command}"
+      puts "Starting Rails server: #{server_args.join(' ')}"
       
-      spawn(server_command, out: $stdout, err: $stderr)
+      spawn(*server_args, out: $stdout, err: $stderr)
     end
 
     def wait_for_server(timeout = 30)
@@ -140,47 +141,47 @@ def open_command
       case framework
       when :cypress
         if command_exists?('yarn')
-          "yarn cypress open --project #{install_folder} --config baseUrl=#{base_url}"
+          ['yarn', 'cypress', 'open', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         elsif command_exists?('npx')
-          "npx cypress open --project #{install_folder} --config baseUrl=#{base_url}"
+          ['npx', 'cypress', 'open', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         else
-          "cypress open --project #{install_folder} --config baseUrl=#{base_url}"
+          ['cypress', 'open', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         end
       when :playwright
         if command_exists?('yarn')
-          "yarn playwright test --ui"
+          ['yarn', 'playwright', 'test', '--ui']
         elsif command_exists?('npx')
-          "npx playwright test --ui"
+          ['npx', 'playwright', 'test', '--ui']
         else
-          "playwright test --ui"
+          ['playwright', 'test', '--ui']
         end
       end
     end
 
-    def run_command_str
+    def run_command_args
       case framework
       when :cypress
         if command_exists?('yarn')
-          "yarn cypress run --project #{install_folder} --config baseUrl=#{base_url}"
+          ['yarn', 'cypress', 'run', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         elsif command_exists?('npx')
-          "npx cypress run --project #{install_folder} --config baseUrl=#{base_url}"
+          ['npx', 'cypress', 'run', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         else
-          "cypress run --project #{install_folder} --config baseUrl=#{base_url}"
+          ['cypress', 'run', '--project', install_folder, '--config', "baseUrl=#{base_url}"]
         end
       when :playwright
         if command_exists?('yarn')
-          "yarn playwright test"
+          ['yarn', 'playwright', 'test']
         elsif command_exists?('npx')
-          "npx playwright test"
+          ['npx', 'playwright', 'test']
         else
-          "playwright test"
+          ['playwright', 'test']
         end
       end
     end
 
-    def run_command(command, description)
-      puts "#{description}: #{command}"
-      system(command)
+    def run_command(command_args, description)
+      puts "#{description}: #{command_args.join(' ')}"
+      system(*command_args)
     end
 
     def command_exists?(command)
diff --git a/lib/cypress_on_rails/state_reset_middleware.rb b/lib/cypress_on_rails/state_reset_middleware.rb
@@ -18,16 +18,26 @@ def call(env)
     def reset_application_state
       config = CypressOnRails.configuration
       
-      # Run after_state_reset hook if configured
-      run_hook(config.after_state_reset)
-      
       # Default state reset actions
       if defined?(DatabaseCleaner)
         DatabaseCleaner.clean_with(:truncation)
       elsif defined?(ActiveRecord::Base)
-        ActiveRecord::Base.connection.tables.each do |table|
-          next if table == 'schema_migrations' || table == 'ar_internal_metadata'
-          ActiveRecord::Base.connection.execute("DELETE FROM #{table}")
+        connection = ActiveRecord::Base.connection
+        
+        # Use disable_referential_integrity if available for safer table clearing
+        if connection.respond_to?(:disable_referential_integrity)
+          connection.disable_referential_integrity do
+            connection.tables.each do |table|
+              next if table == 'schema_migrations' || table == 'ar_internal_metadata'
+              connection.execute("DELETE FROM #{connection.quote_table_name(table)}")
+            end
+          end
+        else
+          # Fallback to regular deletion with proper table name quoting
+          connection.tables.each do |table|
+            next if table == 'schema_migrations' || table == 'ar_internal_metadata'
+            connection.execute("DELETE FROM #{connection.quote_table_name(table)}")
+          end
         end
       end
       
@@ -36,6 +46,9 @@ def reset_application_state
       
       # Reset any class-level state
       ActiveSupport::Dependencies.clear if defined?(ActiveSupport::Dependencies)
+      
+      # Run after_state_reset hook after cleanup is complete
+      run_hook(config.after_state_reset)
     end
     
     def run_hook(hook)
