Use execFileSync instead of execSync to prevent command injection

and add verbose flag
2025-06-21 15:30:18 +02:00 · 2025-06-21 15:30:18 +02:00 · a6060cdbfb
commit a6060cdbfb
parent 6293010b6c
1 changed files with 8 additions and 9 deletions
--- a/commands/misc/dl.js
+++ b/commands/misc/dl.js
@ -1,4 +1,4 @@
-const { execSync } = require('child_process');
+const { execFileSync } = require('child_process');
 const path = require('path');
 const fs = require('fs')
@ -38,7 +38,7 @@ module.exports = {
        const originalMessage = await message.channel.send("Downloading video...")
-        if(this.executeCommand(["yt-dlp", url, "-P", downloadsDir, "--cookies", cookieFilepath]).error){
+        if(this.executeCommand("yt-dlp", [url, "-P", downloadsDir, "--cookies", cookieFilepath]).error){
            originalMessage.edit("An error occured when downloading the video.");
            this.cleanUp(downloadsDir);
            return;
@ -68,16 +68,15 @@ module.exports = {
        fs.rmSync(downloadsDir, {force: true, recursive: true});
    },
-    executeCommand(command) {
+    executeCommand(command, commandArgs, {verbose = false}) {
-        if(!Array.isArray(command)) return {error: true};
+        if (typeof command !== 'string' || !Array.isArray(commandArgs)) return { error: true };
-        const cmdString = command.join(" ")
+        console.log("Executing:", command, commandArgs.join(" "));
        console.log("Executing:", cmdString);
        try {
-            const output = execSync(cmdString, { encoding: 'utf-8' })
+            const output = execFileSync(command, commandArgs, {encoding: 'utf8'})
-            if (output.length != 0)
+            if (output.length != 0 && verbose)
                console.log(output)
        } catch (error) {
-            console.error(`Error executing ${command[0]} command:`, error);
+            console.error(`Error executing ${command} command:`, error);
            return { error: true };
        }
        return { error: false };