fix(security): replace exec() with execFile() in extractVideoThumb

Eliminates command injection vulnerability (CWE-78) by switching from
shell-based exec() to execFile() which passes arguments as an array
without spawning a shell. Behavior is identical — same ffmpeg args,
same output — but injection via crafted paths is now impossible.

https://claude.ai/code/session_01E2cfX1N3sJgCJBTvzGazSG
This commit is contained in:
Claude
2026-02-08 22:23:09 +00:00
parent 2dc3a34d5e
commit 686bce5d2c
+2 -3
View File
@@ -1,5 +1,5 @@
import { Boom } from '@hapi/boom'
import { exec } from 'child_process'
import { execFile } from 'child_process'
import * as Crypto from 'crypto'
import { once } from 'events'
import { createReadStream, createWriteStream, promises as fs, WriteStream } from 'fs'
@@ -127,8 +127,7 @@ const extractVideoThumb = async (
size: { width: number; height: number }
) =>
new Promise<void>((resolve, reject) => {
const cmd = `ffmpeg -ss ${time} -i ${path} -y -vf scale=${size.width}:-1 -vframes 1 -f image2 ${destPath}`
exec(cmd, err => {
execFile('ffmpeg', ['-ss', time, '-i', path, '-y', '-vf', `scale=${size.width}:-1`, '-vframes', '1', '-f', 'image2', destPath], err => {
if (err) {
reject(err)
} else {