Security: Command Injection Vulnerability

[schirrmacher]

Hey there!

During security reviews I discovered an issue in audioread/ffdec.py

The code uses subprocess.Popen to execute external commands (ffmpeg or avconv) with a user-provided filename as part of the command arguments. This creates a significant command injection vulnerability, as a malicious filename could contain arbitrary shell commands, leading to remote code execution on the system.

audioread/audioread/ffdec.py

Line 144 in 577f8e2

['-i', filename, '-f', 's16le', '-'],

[sampsyo]

Hello! I don't think this is true—we are not using a shell here. What is a specific example of a malicious value for filename that you have in mind?

[schirrmacher]

The filename variable is passed directly into the command list. If an attacker can control the filename string, they can make it start with a hyphen (-) to trick ffmpeg into interpreting the filename as a command-line option instead of an input file path.

Maybe this is not a problem for this part of the code.

[WesR]

I think this is a false positive, I could not replicate it