Aandrew-me ytDownloader Command Injection Vulnerability in Compressor Feature

A command injection vulnerability exists in the ytDownloader application, specifically in versions up to 3.20.2. The issue arises in the compressor feature, where the application uses Node.js's child_process.exec() to execute a single ffmpeg command string. This method invokes a shell, allowing untrusted file names to be interpreted as shell commands rather than isolated arguments. On Linux and macOS, a crafted file name can disrupt command parsing and execute arbitrary commands with the current user's privileges. The vulnerability requires local file delivery and user interaction, but its impact is significant due to direct shell execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the context of the current user. This could lead to executing local commands, modifying or deleting user-accessible files, accessing sensitive user data, or disrupting the application's availability or the user's environment.

Reproduction

To reproduce this vulnerability, create a PNG file and rename it to include a double quote and shell-significant characters. Then, upload this file through the ytDownloader compressor feature. The injected commands will execute, demonstrating the command injection flaw.

Remediation

The vulnerability can be addressed by replacing the use of child_process.exec() with child_process.spawn() or execFile(), constructing ffmpeg arguments as an array, and passing file paths as raw process arguments to avoid shell interpretation.