From f98c7085d61778216b146a79df7acdcb200d7817 Mon Sep 17 00:00:00 2001 From: Andrii Kurdiumov Date: Mon, 10 Feb 2025 11:34:42 +0500 Subject: [PATCH 1/4] Account for Node security patch As of https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2#command-injection-via-args-parameter-of-child_processspawn-without-shell-option-enabled-on-windows-cve-2024-27980---high Cordova produce unrecognized error on Windows. Fixes: https://github.com/apache/cordova-cli/issues/456 --- lib/check_reqs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/check_reqs.js b/lib/check_reqs.js index 903f3e4c0..dbbed7834 100644 --- a/lib/check_reqs.js +++ b/lib/check_reqs.js @@ -110,7 +110,7 @@ module.exports.get_gradle_wrapper = function () { let program_dir; // OK, This hack only works on Windows, not on Mac OS or Linux. We will be deleting this eventually! if (module.exports.isWindows()) { - const result = execa.sync(path.join(__dirname, 'getASPath.bat')); + const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { spawn: true }); // console.log('result.stdout =' + result.stdout.toString()); // console.log('result.stderr =' + result.stderr.toString()); From 859c2ce66bb7c438af0d2d409d92e4fb8b1eb227 Mon Sep 17 00:00:00 2001 From: Andrii Kurdiumov Date: Tue, 11 Feb 2025 12:45:37 +0500 Subject: [PATCH 2/4] Update lib/check_reqs.js Co-authored-by: Norman Breau --- lib/check_reqs.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/check_reqs.js b/lib/check_reqs.js index dbbed7834..9df9393e6 100644 --- a/lib/check_reqs.js +++ b/lib/check_reqs.js @@ -110,6 +110,8 @@ module.exports.get_gradle_wrapper = function () { let program_dir; // OK, This hack only works on Windows, not on Mac OS or Linux. We will be deleting this eventually! if (module.exports.isWindows()) { + // "spawn" option enabled for CVE-2024-27980 (Windows) Mitigation + // See https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 for more details const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { spawn: true }); // console.log('result.stdout =' + result.stdout.toString()); // console.log('result.stderr =' + result.stderr.toString()); From a247df75c87c3e4e50967bf43bddde4d9eb6696c Mon Sep 17 00:00:00 2001 From: Andrii Kurdiumov Date: Tue, 11 Feb 2025 12:47:10 +0500 Subject: [PATCH 3/4] Fix incorrect parameter --- lib/check_reqs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/check_reqs.js b/lib/check_reqs.js index 9df9393e6..54c0739f7 100644 --- a/lib/check_reqs.js +++ b/lib/check_reqs.js @@ -112,7 +112,7 @@ module.exports.get_gradle_wrapper = function () { if (module.exports.isWindows()) { // "spawn" option enabled for CVE-2024-27980 (Windows) Mitigation // See https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 for more details - const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { spawn: true }); + const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { shell: true }); // console.log('result.stdout =' + result.stdout.toString()); // console.log('result.stderr =' + result.stderr.toString()); From 431497dc09ebaa168b880ec950f2fc8af276cc5c Mon Sep 17 00:00:00 2001 From: Andrii Kurdiumov Date: Tue, 11 Feb 2025 23:08:45 +0500 Subject: [PATCH 4/4] Address PR comments. Normalize comment with option in the code below. --- lib/check_reqs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/check_reqs.js b/lib/check_reqs.js index 54c0739f7..2422296b7 100644 --- a/lib/check_reqs.js +++ b/lib/check_reqs.js @@ -110,7 +110,7 @@ module.exports.get_gradle_wrapper = function () { let program_dir; // OK, This hack only works on Windows, not on Mac OS or Linux. We will be deleting this eventually! if (module.exports.isWindows()) { - // "spawn" option enabled for CVE-2024-27980 (Windows) Mitigation + // "shell" option enabled for CVE-2024-27980 (Windows) Mitigation // See https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 for more details const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { shell: true }); // console.log('result.stdout =' + result.stdout.toString());