From 47126876cfc83820f7bcb18c5d64d02c71a8e84f Mon Sep 17 00:00:00 2001
From: marcobaobao <marco.piovanello@gmail.com>
Date: Mon, 9 May 2022 19:12:59 +0200
Subject: [PATCH] security update

---
 server/src/core/Process.ts | 9 ++++++---
 server/src/utils/params.ts | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 server/src/utils/params.ts

diff --git a/server/src/core/Process.ts b/server/src/core/Process.ts
index ef7cd66..a8ad9dd 100644
--- a/server/src/core/Process.ts
+++ b/server/src/core/Process.ts
@@ -3,6 +3,7 @@ import { join } from 'path';
 import { Readable } from 'stream';
 import { ISettings } from '../interfaces/ISettings';
 import Logger from '../utils/BetterLogger';
+import { availableParams } from '../utils/params';
 
 const log = new Logger();
 
@@ -41,9 +42,11 @@ class Process {
     async start(callback?: Function): Promise<this> {
         await this.internalGetInfo();
 
+        const sanitizedParams = this.params.filter((param: string) => availableParams.includes(param));
+
         const ytldp = spawn(this.exePath,
             ['-o', `${this.settings?.download_path || 'downloads/'}%(title)s.%(ext)s`]
-                .concat(this.params)
+                .concat(sanitizedParams)
                 .concat([this.url])
         );
 
@@ -119,9 +122,9 @@ class Process {
 
     /**
      * download info getter function
-     * @returns {object}
+     * @returns {*}
      */
-    getInfo(): object {
+    getInfo(): any {
         return this.info
     }
 }
diff --git a/server/src/utils/params.ts b/server/src/utils/params.ts
new file mode 100644
index 0000000..93acab1
--- /dev/null
+++ b/server/src/utils/params.ts
@@ -0,0 +1,4 @@
+export const availableParams = [
+    '--no-mtime',
+    '-x'
+]
\ No newline at end of file