Fix Command Injection Vulnerability (#1778)

* Added fix for command injection

* changed function name from sh to runCommand
This commit is contained in:
Oussama 2024-02-29 19:32:29 +01:00 committed by GitHub
parent c1966af2cf
commit 31a4c9c9d3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -11,21 +11,21 @@ import (
"github.com/go-skynet/LocalAI/core/schema" "github.com/go-skynet/LocalAI/core/schema"
) )
func sh(c string) (string, error) { func runCommand(command []string) (string, error) {
cmd := exec.Command("/bin/sh", "-c", c) cmd := exec.Command(command[0], command[1:]...)
cmd.Env = os.Environ() cmd.Env = os.Environ()
o, err := cmd.CombinedOutput() out, err := cmd.CombinedOutput()
return string(o), err return string(out), err
} }
// AudioToWav converts audio to wav for transcribe. It bashes out to ffmpeg // AudioToWav converts audio to wav for transcribe.
// TODO: use https://github.com/mccoyst/ogg? // TODO: use https://github.com/mccoyst/ogg?
func audioToWav(src, dst string) error { func audioToWav(src, dst string) error {
out, err := sh(fmt.Sprintf("ffmpeg -i %s -format s16le -ar 16000 -ac 1 -acodec pcm_s16le %s", src, dst)) command := []string{"ffmpeg", "-i", src, "-format", "s16le", "-ar", "16000", "-ac", "1", "-acodec", "pcm_s16le", dst}
out, err := runCommand(command)
if err != nil { if err != nil {
return fmt.Errorf("error: %w out: %s", err, out) return fmt.Errorf("error: %w out: %s", err, out)
} }
return nil return nil
} }