If someone adds an executable shell command to a package.json then ABP CLI can run this command.
Normally ABP package.json files are created by ABP platform that's why there's no real issue here.
But if someone creates an ABP project and makes it public to everyone and adds this vulnerable command then yes, in the developlment environment he can do bad things. But for doing bad things he doesn't need to add a command, he can create his own malicious NPM package and put that in package.json it'll look like much more hidden attack vector. But even it's very low-level security vulnerability, it's easy to fix and we can fix this
abp_cli_private_vuln_report.pdf
If someone adds an executable shell command to a package.json then ABP CLI can run this command.
Normally ABP package.json files are created by ABP platform that's why there's no real issue here.
But if someone creates an ABP project and makes it public to everyone and adds this vulnerable command then yes, in the developlment environment he can do bad things. But for doing bad things he doesn't need to add a command, he can create his own malicious NPM package and put that in package.json it'll look like much more hidden attack vector. But even it's very low-level security vulnerability, it's easy to fix and we can fix this
abp_cli_private_vuln_report.pdf