There is a significant vulnerability in this package. Anyone passing user-supplied input to the library will have a remote code execution error on their hands, as this library does not properly escape its parameters before passing them to the shell:
libcamera.still({ output: 'test.jpg; touch example-file' })
Using this code will run the touch example-file command (even if libcamera is not installed on your system!) It could be another command that deletes your files, which would cause bigger issues.
Any code that wraps shell commands must use a well-tested method for securely escaping shell commands to prevent users of the library from unexpectedly introducing vulnerabilities into their system.
There is a significant vulnerability in this package. Anyone passing user-supplied input to the library will have a remote code execution error on their hands, as this library does not properly escape its parameters before passing them to the shell:
Using this code will run the
touch example-filecommand (even if libcamera is not installed on your system!) It could be another command that deletes your files, which would cause bigger issues.Any code that wraps shell commands must use a well-tested method for securely escaping shell commands to prevent users of the library from unexpectedly introducing vulnerabilities into their system.