Arbitrary file execution via user-controlled file path parameter

[GaijinKa]

Description

The application allows users to specify the file path to be executed through the ffmpeg_proc_path parameter:

pythonffmpeg_proc_path = "ffmpeg_launcher_vp8.sh.template"

When this user-controlled path is passed directly to subprocess execution without proper validation, it creates a critical security vulnerability that allows attackers to execute arbitrary files on the system.

Severity

High - Allows execution of arbitrary files on the system

Affected Components

The _videostream_ffmpeg sink node

Vectors

Attackers can use directory traversal sequences to execute files outside the intended directory.

# Attack examples:
ffmpeg_proc_path = "../../../any/file"

Impact:

• Execute arbitrary scripts anywhere on the filesystem that the process has read access to
• Exploit special files
• Binary execution
• Env manipulation
• Malicious execution (if the attacker is able to upload file properly)

Recommended Fixes

1. Whitelist approach

ALLOWED_SCRIPTS = {
    'vp8': 'ffmpeg_launcher_vp8.sh.template',
    'h264': 'ffmpeg_launcher_h264.sh.template',
    'vp9': 'ffmpeg_launcher_vp9.sh.template',
}

# User selects by key, not path
script_type = user_input  # e.g., "vp8"
if script_type not in ALLOWED_SCRIPTS:
    raise SecurityError("Invalid script type")

ffmpeg_proc_path = os.path.join(SAFE_SCRIPT_DIR, ALLOWED_SCRIPTS[script_type])

2. Run subprocess with restricted permissions

3. Suspicious command detection

if '..' in ffmpeg_proc_path or ffmpeg_proc_path.startswith('/'):
    # prevent code execution ad raise alert

References

CWE-73: External Control of File Name or Path
CWE-22: Path Traversal
CWE-426: Untrusted Search Path
OWASP: Path Traversal