TheLanc3/YoutubeDL-Material
1
0
Fork 0
mirror of https://github.com/Tzahi12345/YoutubeDL-Material.git synced 2026-04-11 19:01:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed potential command injection vulnerability

Browse Source
This commit is contained in:
Isaac Abadi
2022-06-21 01:58:35 -04:00
parent cddd280206
commit b6de6d08fa
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/twitch.js
View File

@@ -9,6 +9,13 @@ async function getCommentsForVOD(clientID, clientSecret, vodId) {
const { promisify } = require('util'); const { promisify } = require('util');
const child_process = require('child_process'); const child_process = require('child_process');
const exec = promisify(child_process.exec); const exec = promisify(child_process.exec);
// Reject invalid params to prevent command injection attack
if (!clientID.match(/^[0-9a-z]+$/) || !clientSecret.match(/^[0-9a-z]+$/) || !vodId.match(/^[0-9a-z]+$/)) {
logger.error('Client ID, client secret, and VOD ID must be purely alphanumeric. Twitch chat download failed!');
return null;
}
const result = await exec(`tcd --video ${vodId} --client-id ${clientID} --client-secret ${clientSecret} --format json -o appdata`, {stdio:[0,1,2]}); const result = await exec(`tcd --video ${vodId} --client-id ${clientID} --client-secret ${clientSecret} --format json -o appdata`, {stdio:[0,1,2]});
if (result['stderr']) { if (result['stderr']) {