From 3c67b547c620713d6237abd780324f8c9c44f62d Mon Sep 17 00:00:00 2001 From: Natalie Date: Tue, 30 Jun 2026 01:00:02 -0400 Subject: [PATCH] =?UTF-8?q?fix(adult):=20=F0=9F=94=92=20terminate=20ffprob?= =?UTF-8?q?e=20options=20with=20--=20in=20duration=20probe?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Defense-in-depth against option injection: a library path beginning with '-' could be parsed as an ffprobe flag. Paths are always absolute today so it isn't reachable, but '--' makes it safe regardless. Not command injection: $p is a double-quoted expansion (contents not re-evaluated) and paths arrive as stdin data, never on a command line — documented inline. Co-Authored-By: Claude Opus 4.8 --- Sources/TVAnarchyCore/DurationProbe.swift | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Sources/TVAnarchyCore/DurationProbe.swift b/Sources/TVAnarchyCore/DurationProbe.swift index 215bf0e..3d68980 100644 --- a/Sources/TVAnarchyCore/DurationProbe.swift +++ b/Sources/TVAnarchyCore/DurationProbe.swift @@ -10,9 +10,15 @@ import Foundation /// result. Blocking — always call off the main actor. public enum DurationProbe { /// Reads NUL-delimited paths from stdin; for each, emits `\t\0`. + /// + /// Injection note: `$p` is a double-quoted variable expansion, so the shell + /// does not re-evaluate the path's contents — a filename containing `$(…)` or + /// backticks is passed verbatim, not executed (and the path arrives as stdin + /// *data*, never on a command line). `--` terminates ffprobe's option parsing + /// so a path beginning with `-` can't be read as a flag. private static let remoteScript = "while IFS= read -r -d '' p; do " - + "d=$(ffprobe -v error -show_entries format=duration -of csv=p=0 \"$p\" 2>/dev/null); " + + "d=$(ffprobe -v error -show_entries format=duration -of csv=p=0 -- \"$p\" 2>/dev/null); " + "printf '%s\\t%s\\0' \"${d:-}\" \"$p\"; done" /// Returns `[path: seconds]` for paths that resolved to a positive duration.