Cannot run `fiori run` commands on Windows due to CVE-2024-27980 (child_process.spawn and child_process.spawnSync)

SAP / ui5-tooling

An open and modular toolchain to develop state of the art applications based on the UI5 framework

https://sap.github.io/ui5-tooling

Apache License 2.0

468 stars 71 forks source link

Cannot run `fiori run` commands on Windows due to CVE-2024-27980 (child_process.spawn and child_process.spawnSync) #948

Closed GuillaumedesPommareSAP closed 6 months ago

GuillaumedesPommareSAP commented 6 months ago

Expected Behavior

npm run start-mock serves resources

Current Behavior

Command run failed with error : spawn EINVAL

Steps to Reproduce the Issue

Just run any UI5 FE project using Node having the CVE fixed (18.x, 20.x, 21.x are affected)

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Context

ui5 --version 3.9.1 node --version v20.12.2 npm --version 10.5.0 OS Name: Microsoft Windows 11 Enterprise OS Version: 10.0.22631 N/A Build 22631

GuillaumedesPommareSAP commented 6 months ago

Workaround (discouraged !): in node_modules\.bin\fiori.cmd add --security-revert=CVE-2024-27980 like so : endLocal & goto #_undefined_# 2>NUL || title %COMSPEC% & "%_prog%" --security-revert=CVE-2024-27980 "%dp0%\..\@sap\ux-ui5-tooling\bin\fiori" %*

d3xter666 commented 6 months ago

Dear @GuillaumedesPommareSAP,

Thank you for reporting the issue, however this seems to be something not related directly to UI5 Tooling. Please report the issue to the correct repository or internal support system.

Best Regards