From 4ffb5c3972732c2ed5c720b0b83c747960d92bca Mon Sep 17 00:00:00 2001
From: Lucas Gabriel <90426410+lucmsilva651@users.noreply.github.com>
Date: Sat, 28 Sep 2024 18:44:00 -0300
Subject: [PATCH] Fix code scanning alert no. 1: Shell command built from
 environment values (#11)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 commands/youtube.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/commands/youtube.js b/commands/youtube.js
index 87d5278..ee7dc46 100644
--- a/commands/youtube.js
+++ b/commands/youtube.js
@@ -1,7 +1,7 @@
 const { getStrings } = require('../plugins/checklang.js');
 const { isOnSpamWatch } = require('../plugins/lib-spamwatch/spamwatch.js');
 const spamwatchMiddleware = require('../plugins/lib-spamwatch/Middleware.js')(isOnSpamWatch);
-const { exec } = require('child_process');
+const { execFile } = require('child_process');
 const os = require('os');
 const fs = require('fs');
 const path = require('path');
@@ -17,9 +17,9 @@ function getYtDlpPath() {
   return ytDlpPaths[platform] || ytDlpPaths.linux;
 };
 
-async function downloadFromYoutube(command) {
+async function downloadFromYoutube(command, args) {
   return new Promise((resolve, reject) => {
-    exec(command, (error, stdout, stderr) => {
+    execFile(command, args, (error, stdout, stderr) => {
       if (error) {
         reject({ error, stdout, stderr });
       } else {
@@ -39,7 +39,8 @@ module.exports = (bot) => {
     const mp4File = `tmp/${userId}.mp4`;
     const cmdArgs = "--max-filesize 2G --no-playlist --merge-output-format mp4 -o";
     const videoFormat = "-f bestvideo+bestaudio";
-    const dlpCommand = `${ytDlpPath} ${videoUrl} ${videoFormat} ${cmdArgs} ${mp4File}`;
+    const dlpCommand = ytDlpPath;
+    const dlpArgs = [videoUrl, videoFormat, ...cmdArgs.split(' '), mp4File];
 
     const downloadingMessage = await ctx.reply(strings.ytDownloading, {
       parse_mode: 'Markdown',
@@ -47,7 +48,7 @@ module.exports = (bot) => {
     });
 
     try {
-      await downloadFromYoutube(dlpCommand);
+      await downloadFromYoutube(dlpCommand, dlpArgs);
 
       await ctx.telegram.editMessageText(
         ctx.chat.id,