From 686bce5d2ce111f864e77a18adaca9eaa696d9d4 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 8 Feb 2026 22:23:09 +0000 Subject: [PATCH] fix(security): replace exec() with execFile() in extractVideoThumb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Eliminates command injection vulnerability (CWE-78) by switching from shell-based exec() to execFile() which passes arguments as an array without spawning a shell. Behavior is identical — same ffmpeg args, same output — but injection via crafted paths is now impossible. https://claude.ai/code/session_01E2cfX1N3sJgCJBTvzGazSG --- src/Utils/messages-media.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/Utils/messages-media.ts b/src/Utils/messages-media.ts index 76207614..98c107fc 100644 --- a/src/Utils/messages-media.ts +++ b/src/Utils/messages-media.ts @@ -1,5 +1,5 @@ import { Boom } from '@hapi/boom' -import { exec } from 'child_process' +import { execFile } from 'child_process' import * as Crypto from 'crypto' import { once } from 'events' import { createReadStream, createWriteStream, promises as fs, WriteStream } from 'fs' @@ -127,8 +127,7 @@ const extractVideoThumb = async ( size: { width: number; height: number } ) => new Promise((resolve, reject) => { - const cmd = `ffmpeg -ss ${time} -i ${path} -y -vf scale=${size.width}:-1 -vframes 1 -f image2 ${destPath}` - exec(cmd, err => { + execFile('ffmpeg', ['-ss', time, '-i', path, '-y', '-vf', `scale=${size.width}:-1`, '-vframes', '1', '-f', 'image2', destPath], err => { if (err) { reject(err) } else {