fix(security): replace exec() with execFile() in extractVideoThumb
Eliminates command injection vulnerability (CWE-78) by switching from shell-based exec() to execFile() which passes arguments as an array without spawning a shell. Behavior is identical — same ffmpeg args, same output — but injection via crafted paths is now impossible. https://claude.ai/code/session_01E2cfX1N3sJgCJBTvzGazSG
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
import { Boom } from '@hapi/boom'
|
||||
import { exec } from 'child_process'
|
||||
import { execFile } from 'child_process'
|
||||
import * as Crypto from 'crypto'
|
||||
import { once } from 'events'
|
||||
import { createReadStream, createWriteStream, promises as fs, WriteStream } from 'fs'
|
||||
@@ -127,8 +127,7 @@ const extractVideoThumb = async (
|
||||
size: { width: number; height: number }
|
||||
) =>
|
||||
new Promise<void>((resolve, reject) => {
|
||||
const cmd = `ffmpeg -ss ${time} -i ${path} -y -vf scale=${size.width}:-1 -vframes 1 -f image2 ${destPath}`
|
||||
exec(cmd, err => {
|
||||
execFile('ffmpeg', ['-ss', time, '-i', path, '-y', '-vf', `scale=${size.width}:-1`, '-vframes', '1', '-f', 'image2', destPath], err => {
|
||||
if (err) {
|
||||
reject(err)
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user