fix(security): replace exec() with execFile() in extractVideoThumb
Eliminates command injection vulnerability (CWE-78) by switching from shell-based exec() to execFile() which passes arguments as an array without spawning a shell. Behavior is identical — same ffmpeg args, same output — but injection via crafted paths is now impossible. https://claude.ai/code/session_01E2cfX1N3sJgCJBTvzGazSG
This commit is contained in:
@@ -1,5 +1,5 @@
|
|||||||
import { Boom } from '@hapi/boom'
|
import { Boom } from '@hapi/boom'
|
||||||
import { exec } from 'child_process'
|
import { execFile } from 'child_process'
|
||||||
import * as Crypto from 'crypto'
|
import * as Crypto from 'crypto'
|
||||||
import { once } from 'events'
|
import { once } from 'events'
|
||||||
import { createReadStream, createWriteStream, promises as fs, WriteStream } from 'fs'
|
import { createReadStream, createWriteStream, promises as fs, WriteStream } from 'fs'
|
||||||
@@ -127,8 +127,7 @@ const extractVideoThumb = async (
|
|||||||
size: { width: number; height: number }
|
size: { width: number; height: number }
|
||||||
) =>
|
) =>
|
||||||
new Promise<void>((resolve, reject) => {
|
new Promise<void>((resolve, reject) => {
|
||||||
const cmd = `ffmpeg -ss ${time} -i ${path} -y -vf scale=${size.width}:-1 -vframes 1 -f image2 ${destPath}`
|
execFile('ffmpeg', ['-ss', time, '-i', path, '-y', '-vf', `scale=${size.width}:-1`, '-vframes', '1', '-f', 'image2', destPath], err => {
|
||||||
exec(cmd, err => {
|
|
||||||
if (err) {
|
if (err) {
|
||||||
reject(err)
|
reject(err)
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Reference in New Issue
Block a user