From b6de6d08fa5a0b11d2b3e7c8301be220d38ec447 Mon Sep 17 00:00:00 2001
From: Isaac Abadi <IsaacMGrynsztein@gmail.com>
Date: Tue, 21 Jun 2022 01:58:35 -0400
Subject: [PATCH] Fixed potential command injection vulnerability

---
 backend/twitch.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/twitch.js b/backend/twitch.js
index 6a70c89..c713676 100644
--- a/backend/twitch.js
+++ b/backend/twitch.js
@@ -9,6 +9,13 @@ async function getCommentsForVOD(clientID, clientSecret, vodId) {
     const { promisify } = require('util');
     const child_process = require('child_process');
     const exec = promisify(child_process.exec);
+    
+    // Reject invalid params to prevent command injection attack
+    if (!clientID.match(/^[0-9a-z]+$/) || !clientSecret.match(/^[0-9a-z]+$/) || !vodId.match(/^[0-9a-z]+$/)) {
+        logger.error('Client ID, client secret, and VOD ID must be purely alphanumeric. Twitch chat download failed!');
+        return null;
+    }
+
     const result = await exec(`tcd --video ${vodId} --client-id ${clientID} --client-secret ${clientSecret} --format json -o appdata`, {stdio:[0,1,2]});
 
     if (result['stderr']) {