add changes for fixing node exec

Author: Deepak Kasu

src/lib/util.js

@@ -2,10 +2,13 @@ import argvSplit from 'argv-split';
 import fs from 'fs-extra';
 import E from './errors.js';
 import path from 'path';
+import os from 'os';
 import semver from 'semver';
 import which from 'which';
+import child_process from 'child_process';
 import { fileURLToPath } from 'url';
 import { packageDirectorySync } from 'pkg-dir';
+import { execPath } from 'process';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -264,3 +267,27 @@ export function wrap(str, width, indent) {
 		})
 		.join('\n');
 }
+
+// cache to avoid extra lookups
+let _nodePath;
+export function nodePath() {
+	if (!_nodePath) {
+		const execPath = process.execPath;
+		// cannot exec cmd on windows on new versions of node https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
+		// CVE-2024-27980. Can't pass shell: true to get around this on windows since it breaks non-shell executions.
+		// Can't imagine node would be a bat but who knows. It's .cmd on windows often.
+		if (os.platform() === 'win32' && [ 'cmd', 'bat' ].includes(path.extname(execPath))) {
+			// try and see if the node.exe lives in the same dir
+			const newNodePath = execPath.replace(new RegExp(`${path.extname(execPath)}$`), 'exe');
+			try {
+				fs.statSync(newNodePath);
+				_nodePath = newNodePath;
+			} catch (err) {
+				_nodePath = 'node.exe';
+			}
+		} else {
+			_nodePath = execPath;
+		}
+	}
+	return _nodePath;
+}

src/parser/extension.js

@@ -4,7 +4,7 @@ import E from '../lib/errors.js';
 import helpCommand from '../commands/help.js';
 import _path from 'path';
 
-import { declareCLIKitClass, filename, findPackage, isExecutable } from '../lib/util.js';
+import { declareCLIKitClass, filename, findPackage, isExecutable, nodePath } from '../lib/util.js';
 import { spawn } from 'child_process';
 
 const { log, warn } = debug('cli-kit:extension');
@@ -34,6 +34,7 @@ export default class Extension {
 	 * @access public
 	 */
 	constructor(pathOrParams, params) {
+		log({pathOrParams, params});
 		let path = pathOrParams;
 
 		if (typeof path === 'string' && !params) {
@@ -83,7 +84,7 @@ export default class Extension {
 
 					// spawn the process
 					log(`Running: ${highlight(`${bin} ${args.join(' ')}`)}`);
-					const child = spawn(bin, args, { windowsHide: true, shell: true });
+					const child = spawn(bin, args, { windowsHide: true });
 					child.stdout.on('data', data => terminal.stdout.write(data.toString()));
 					child.stderr.on('data', data => terminal.stderr.write(data.toString()));
 					await new Promise(resolve => child.on('close', (code = 0) => resolve({ code })));
@@ -114,7 +115,7 @@ export default class Extension {
 				const makeDefaultAction = main => {
 					return async ({ __argv, cmd }) => {
 						process.argv = [
-							process.execPath,
+							nodePath(),
 							main
 						];
 
@@ -239,6 +240,8 @@ export default class Extension {
 	 */
 	registerExtension(name, meta, params) {
 		log(`Registering extension command: ${highlight(`${this.name}:${name}`)}`);
+		log(meta);
+		log(params);
 		const cmd = new Command(name, {
 			parent: this,
 			...params

test/examples/external-binary/extbin.js

@@ -1,5 +1,6 @@
 import CLI from '../../../src/index.js';
+import { nodePath } from '../../../src/lib/util.js';
 
 new CLI({
-	extensions: [ 'node' ]
+	extensions: [ nodePath() ]
 }).exec();

test/examples/run-node/run.js

@@ -1,7 +1,8 @@
 import CLI from '../../../src/index.js';
+import { nodePath } from '../../../src/lib/util.js';
 
 new CLI({
 	extensions: {
-        run: `"${process.execPath}" -e`
+        run: `"${nodePath()}" -e`
     }
 }).exec();

test/test-argument.js

@@ -54,6 +54,7 @@ describe('Argument', () => {
 					name: 'foo',
 					type: 'bar'
 				});
+				throw new Error('Expected error');
 			} catch (err) {
 				expect(err).to.be.instanceof(Error);
 				expect(err.message).to.equal('Unsupported type "bar"');

test/test-extension.js

@@ -4,8 +4,10 @@ import CLI, { ansi, Extension, Terminal } from '../src/index.js';
 import path from 'path';
 import { expect } from 'chai';
 import { fileURLToPath } from 'url';
+import { platform } from 'os';
 import { spawnSync } from 'child_process';
 import { WritableStream } from 'memory-streams';
+import { nodePath } from '../src/lib/util.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -57,12 +59,17 @@ describe('Extension', () => {
 			delete env.SNOOPLOGG;
 			const args = [
 				path.join(__dirname, 'examples', 'external-binary', 'extbin.js'),
+				// this is the command name!
 				'node',
 				'-e',
-				'\'console.log(\'foo\');\''
+				'console.log(\'foo\');'
 			];
-			const cmd = `${process.execPath} ${args.join(' ')}`;
-			const {status} = spawnSync(process.execPath, args, { env, shell: true });
+
+			const { status, stdout, stderr } = spawnSync(nodePath(), args, {
+				env
+			});
+			expect(stdout.toString().trim()).to.equal('foo');
+			expect(stderr.toString().trim()).to.equal('');
 			expect(status).to.equal(0);
 		});
 
@@ -73,9 +80,11 @@ describe('Extension', () => {
 			const env = { ...process.env };
 			delete env.SNOOPLOGG;
 
-			const { status, stdout, stderr } = spawnSync(process.execPath, [
+			const { status, stdout, stderr } = spawnSync(nodePath(), [
 				path.join(__dirname, 'examples', 'run-node', 'run.js'), 'run', 'console.log(\'It works\')'
-			], { env });
+			], {
+				env
+			});
 			expect(status).to.equal(0);
 			expect(stdout.toString().trim() + stderr.toString().trim()).to.match(/It works/m);
 		});
@@ -86,7 +95,7 @@ describe('Extension', () => {
 			const cli = new CLI({
 				colors: false,
 				extensions: {
-					echo: 'node -e \'console.log("hi " + process.argv.slice(1).join(" "))\''
+					echo: nodePath() + ' -e \'console.log("hi " + process.argv.slice(1).join(" "))\''
 				},
 				help: true,
 				name: 'test-cli',
@@ -166,9 +175,11 @@ describe('Extension', () => {
 			const env = { ...process.env };
 			delete env.SNOOPLOGG;
 
-			const { status, stdout, stderr } = spawnSync(process.execPath, [
+			const { status, stdout, stderr } = spawnSync(nodePath(), [
 				path.join(__dirname, 'examples', 'external-js-file', 'extjsfile.js'), 'simple', 'foo', 'bar'
-			], { env, shell: true });
+			], {
+				env
+			});
 			expect(stdout.toString().trim() + stderr.toString().trim()).to.equal(`${process.version} foo bar`);
 			expect(status).to.equal(0);
 		});
@@ -180,9 +191,11 @@ describe('Extension', () => {
 			const env = { ...process.env };
 			delete env.SNOOPLOGG;
 
-			const { status, stdout, stderr } = spawnSync(process.execPath, [
+			const { status, stdout, stderr } = spawnSync(nodePath(), [
 				path.join(__dirname, 'examples', 'external-module', 'extmod.js'), 'foo', 'bar'
-			], { env, shell: true });
+			], {
+				env
+			});
 			expect(stdout.toString().trim() + stderr.toString().trim()).to.equal(`${process.version} bar`);
 			expect(status).to.equal(0);
 		});

test/test-parser.js

@@ -4,6 +4,7 @@ import { expect } from 'chai';
 import { fileURLToPath } from 'url';
 import { spawnSync } from 'child_process';
 import { WritableStream } from 'memory-streams';
+import { nodePath } from '../src/lib/util.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -86,7 +87,9 @@ describe('Parser', () => {
 			const env = Object.assign({}, process.env);
 			delete env.SNOOPLOGG;
 
-			const { status, stdout } = spawnSync(process.execPath, [ path.join(__dirname, 'examples', 'version-test', 'ver.js'), '--version' ], { env });
+			const { status, stdout } = spawnSync(nodePath(), [ path.join(__dirname, 'examples', 'version-test', 'ver.js'), '--version' ], {
+				env
+			});
 			expect(status).to.equal(0);
 			expect(stdout.toString()).to.equal('1.2.3\n');
 		});

test/test-util.js

@@ -10,7 +10,8 @@ describe('util', () => {
 		it('should throw error if package.json has syntax error', () => {
 			const dir = path.resolve(__dirname, 'fixtures', 'bad-pkg-json');
 			try {
-				const result = findPackage(dir);
+				findPackage(dir);
+				throw new Error('Expected error');
 			} catch (err) {
 				expect(err.message).to.match(/Failed to parse package.json:/);
 			}