SileNce/discord_bot
1
0
Fork 0
Code Issues Projects Releases Packages Wiki Activity Actions

Fix command injection vulnerability by using a command array
All checks were successful
CI / CI (push) Successful in 1m25s
Details

Browse source
This commit is contained in:
SileNce5k 2025-06-21 14:25:43 +02:00
parent f4ffcbebde
commit 6293010b6c
Signed by: SileNce
GPG key ID: B0A142BB4291B204
1 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
commands/misc/dl.js
View file

@ -37,7 +37,8 @@ module.exports = {
} }
const originalMessage = await message.channel.send("Downloading video...") const originalMessage = await message.channel.send("Downloading video...")
if(this.executeCommand(`yt-dlp "${url}" -P ${downloadsDir} --cookies ${cookieFilepath}`).error){
if(this.executeCommand(["yt-dlp", url, "-P", downloadsDir, "--cookies", cookieFilepath]).error){
originalMessage.edit("An error occured when downloading the video."); originalMessage.edit("An error occured when downloading the video.");
this.cleanUp(downloadsDir); this.cleanUp(downloadsDir);
return; return;
@ -66,14 +67,17 @@ module.exports = {
cleanUp(downloadsDir){ cleanUp(downloadsDir){
fs.rmSync(downloadsDir, {force: true, recursive: true}); fs.rmSync(downloadsDir, {force: true, recursive: true});
}, },
executeCommand(command) { executeCommand(command) {
console.log("Executing:", command) if(!Array.isArray(command)) return {error: true};
const cmdString = command.join(" ")
console.log("Executing:", cmdString);
try { try {
const output = execSync(command, { encoding: 'utf-8' }) const output = execSync(cmdString, { encoding: 'utf-8' })
if (output.length != 0) if (output.length != 0)
console.log(output) console.log(output)
} catch (error) { } catch (error) {
console.error(`Error executing ${command.split(" ")[0]} command:`, error); console.error(`Error executing ${command[0]} command:`, error);
return { error: true }; return { error: true };
} }
return { error: false }; return { error: false };