fix(adult): 🔒 terminate ffprobe options with -- in duration probe
Defense-in-depth against option injection: a library path beginning with '-' could be parsed as an ffprobe flag. Paths are always absolute today so it isn't reachable, but '--' makes it safe regardless. Not command injection: $p is a double-quoted expansion (contents not re-evaluated) and paths arrive as stdin data, never on a command line — documented inline. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Natalie
parent
eb0d75a126
commit
3c67b547c6
1 changed files with 7 additions and 1 deletions
|
|
@ -10,9 +10,15 @@ import Foundation
|
|||
/// result. Blocking — always call off the main actor.
|
||||
public enum DurationProbe {
|
||||
/// Reads NUL-delimited paths from stdin; for each, emits `<seconds>\t<path>\0`.
|
||||
///
|
||||
/// Injection note: `$p` is a double-quoted variable expansion, so the shell
|
||||
/// does not re-evaluate the path's contents — a filename containing `$(…)` or
|
||||
/// backticks is passed verbatim, not executed (and the path arrives as stdin
|
||||
/// *data*, never on a command line). `--` terminates ffprobe's option parsing
|
||||
/// so a path beginning with `-` can't be read as a flag.
|
||||
private static let remoteScript =
|
||||
"while IFS= read -r -d '' p; do "
|
||||
+ "d=$(ffprobe -v error -show_entries format=duration -of csv=p=0 \"$p\" 2>/dev/null); "
|
||||
+ "d=$(ffprobe -v error -show_entries format=duration -of csv=p=0 -- \"$p\" 2>/dev/null); "
|
||||
+ "printf '%s\\t%s\\0' \"${d:-}\" \"$p\"; done"
|
||||
|
||||
/// Returns `[path: seconds]` for paths that resolved to a positive duration.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue