From 8f458b042bd61a779eec19516a9ec51e38e56c5e Mon Sep 17 00:00:00 2001
From: Andrii Kurdiumov <kant2002@gmail.com>
Date: Tue, 18 Feb 2025 16:53:18 +0500
Subject: [PATCH] feat: Account for Node security patch (#1778)

As of https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2#command-injection-via-args-parameter-of-child_processspawn-without-shell-option-enabled-on-windows-cve-2024-27980---high

Cordova produce unrecognized error on Windows.

Fixes: https://github.com/apache/cordova-cli/issues/456

---------

Co-authored-by: Norman Breau <norman@breautek.com>
---
 lib/check_reqs.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/check_reqs.js b/lib/check_reqs.js
index 903f3e4c..2422296b 100644
--- a/lib/check_reqs.js
+++ b/lib/check_reqs.js
@@ -110,7 +110,9 @@ module.exports.get_gradle_wrapper = function () {
     let program_dir;
     // OK, This hack only works on Windows, not on Mac OS or Linux.  We will be deleting this eventually!
     if (module.exports.isWindows()) {
-        const result = execa.sync(path.join(__dirname, 'getASPath.bat'));
+        // "shell" option enabled for CVE-2024-27980 (Windows) Mitigation
+        // See https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 for more details
+        const result = execa.sync(path.join(__dirname, 'getASPath.bat'), { shell: true });
         // console.log('result.stdout =' + result.stdout.toString());
         // console.log('result.stderr =' + result.stderr.toString());