Ensure that arbitrary reads / writes can't be executed from ffmpeg (#22607)

2026-04-19 23:08:08 +02:00 · 2026-03-24 09:36:08 -06:00
parent de593c8e3f
commit 334245bd3c
2 changed files with 67 additions and 0 deletions
--- a/frigate/api/export.py
+++ b/frigate/api/export.py
@@ -46,6 +46,7 @@ from frigate.record.export import (
    DEFAULT_TIME_LAPSE_FFMPEG_ARGS,
    PlaybackSourceEnum,
    RecordingExporter,
+    validate_ffmpeg_args,
 )
 from frigate.util.time import is_current_hour

@@ -547,6 +548,24 @@ def export_recording_custom(

    export_id = f"{camera_name}_{''.join(random.choices(string.ascii_lowercase + string.digits, k=6))}"

+    # Validate user-provided ffmpeg args to prevent injection
+    for args_label, args_value in [
+        ("input", ffmpeg_input_args),
+        ("output", ffmpeg_output_args),
+    ]:
+        if args_value is not None:
+            valid, message = validate_ffmpeg_args(args_value)
+            if not valid:
+                return JSONResponse(
+                    content=(
+                        {
+                            "success": False,
+                            "message": f"Invalid ffmpeg {args_label} arguments: {message}",
+                        }
+                    ),
+                    status_code=400,
+                )
+
    # Set default values if not provided (timelapse defaults)
    if ffmpeg_input_args is None:
        ffmpeg_input_args = ""