From 8ef5fb0e440b26a0358b9aa686372212ad8ce889 Mon Sep 17 00:00:00 2001
From: quactv <51528368+tranquac@users.noreply.github.com>
Date: Sat, 28 Mar 2026 07:29:20 +0700
Subject: [PATCH] fix: prevent command injection via URL in yt-dlp shell
 commands

Signed-off-by: tranquac <tranquac@users.noreply.github.com>
---
 index.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 05c5c81..6eba89a 100644
--- a/index.js
+++ b/index.js
@@ -3,6 +3,11 @@ const DISABLE = 0
 const express = require('express');
 const json = require('body-parser').json;
 const child_process = require('child_process');
+// Shell escape helper to prevent command injection
+function shellEscape(str) {
+    return "'" + String(str).replace(/'/g, "'\\''") + "'";
+}
+
 const worker_threads = require('worker_threads');
 const fs = require('fs');
 const { getRemoteIP, getWebsiteUrl } = require('./utils.js');
@@ -258,7 +263,7 @@ function catchSubtitle(line) {
  */
 function parseSubtitle(msg) {
     try {
-        let cmd = `yt-dlp --list-subs ${config.cookie !== undefined ? `--cookies "${config.cookie}"` : ''} '${msg.url}' 2> /dev/null`
+        let cmd = `yt-dlp --list-subs ${config.cookie !== undefined ? `--cookies ${shellEscape(config.cookie)}` : ''} ${shellEscape(msg.url)} 2> /dev/null`
         console.log(`解析字幕, 命令: ${cmd}`);
         let rs = child_process.execSync(cmd).toString().split(/(\r\n|\n)/);