🛡️ Sentinel: [HIGH] Fix FFmpeg argument injection via unvalidated rtmpUrl

[Dexploarer]

🚨 Severity: HIGH
💡 Vulnerability: The streamManager.start function previously passed the rtmpUrl configuration property directly into the spawn("ffmpeg", ...) arguments without strict validation. This allowed potential argument injection or command execution if an attacker could control the provided rtmpUrl.
🎯 Impact: If an attacker controls the rtmpUrl, they could inject arbitrary FFmpeg arguments, potentially leading to local file reading, writing, or denial of service by manipulating FFmpeg execution.
🔧 Fix: Added explicit validation at the beginning of streamManager.start to ensure rtmpUrl strictly starts with either rtmp:// or rtmps://, rejecting any other schemes or formats.
✅ Verification: Run bun test src/services/stream-manager.test.ts or standalone testing scripts to ensure invalid rtmpUrl values throw an error synchronously and valid ones are accepted.

---

PR created automatically by Jules for task 15268392004724634142 started by @Dexploarer

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[codereviewbot-ai]

Silent Early Return May Cause Inconsistent State

The early return in lines 228-230 prevents the stream from starting if _running or _starting is true, but does not throw an error or otherwise inform the caller. This can lead to silent failures and confusion, as the caller may assume the stream was started successfully. Consider throwing an error or returning a status to allow the caller to handle this situation explicitly:

if (this._running || this._starting) {
  logger.warn(`${TAG} Already running or starting — stop first`);
  throw new Error("Stream already running or starting. Stop first.");
}

This ensures that the caller is aware of the failure and can respond appropriately.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-ffmpeg-arg-injection-15268392004724634142

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a critical security fix to prevent FFmpeg argument injection. It enhances the streamManager.start function by adding robust validation for the rtmpUrl input, ensuring that only valid RTMP or RTMPS URLs are processed. This change significantly mitigates the risk of command execution or denial of service attacks through manipulated FFmpeg arguments, while also documenting the vulnerability and its prevention for future reference.

Highlights

• Security Vulnerability Fixed: A high-severity FFmpeg argument injection vulnerability in streamManager.start was addressed by implementing strict validation for the rtmpUrl parameter.
• Input Validation Implemented: The rtmpUrl in streamManager.start now explicitly checks if the URL starts with rtmp:// or rtmps://, throwing an error for invalid formats.
• Security Documentation Added: A new markdown file .jules/sentinel.md was created to document the argument injection vulnerability, lessons learned, and prevention strategies.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a new security entry detailing an argument injection vulnerability related to FFmpeg and rtmpUrl.
  • Included sections on the vulnerability, learning points, and prevention methods.
• src/services/stream-manager.ts
  • Implemented a check in the start method to validate that config.rtmpUrl begins with "rtmp://" or "rtmps://".
  • Added an error throw for invalid rtmpUrl formats to prevent potential argument injection.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a high-severity argument injection vulnerability in the streamManager.start function by validating the rtmpUrl before it's used to construct an FFmpeg command. The fix correctly ensures the URL starts with a valid RTMP scheme. My review includes a suggestion to make this validation case-insensitive for improved robustness, aligning with similar checks elsewhere in the codebase. While the fix is effective, I strongly recommend adding automated tests to verify this security patch and prevent future regressions, as no tests were added in this PR.

[gemini-code-assist]

For robustness and consistency with other parts of the codebase (e.g., src/api/stream-routes.ts), it's better to use a case-insensitive regular expression to validate the RTMP URL scheme. URL schemes are generally case-insensitive, so this change will correctly handle URLs like RTMP://....

Suggested change

	if (!config.rtmpUrl.startsWith("rtmp://") && !config.rtmpUrl.startsWith("rtmps://")) {
	throw new Error("Invalid rtmpUrl: must start with rtmp:// or rtmps://");
	}
	if (!/^rtmps?:\/\//i.test(config.rtmpUrl)) {
	throw new Error("Invalid rtmpUrl: must start with rtmp:// or rtmps://");
	}