remotion: Fix shell command built from environment values open-in-editor

[odaysec]

remotion/packages/studio-server/src/helpers/open-in-editor.ts

Lines 585 to 600 in 5fbbbb0

	child_process.exec(`${where} "${editor.command}"`, (err) => {
	if (err) {
	resolve(editor.process);
	} else {
	resolve(editor.command);
	}
	});
	});
	return new Promise((resolve, reject) => {
	if (process.platform === 'win32') {
	// On Windows, launch the editor in a shell because spawn can only
	// launch .exe files.
	_childProcess = child_process.spawn(
	'cmd.exe',
	['/C', binaryToUse].concat(args),

remotion/packages/studio-server/src/helpers/open-in-editor.ts

Lines 598 to 602 in 5fbbbb0

	_childProcess = child_process.spawn(
	'cmd.exe',
	['/C', binaryToUse].concat(args),
	{stdio: 'inherit', detached: true},
	);

Fix the issue will replace the use of child_process.exec and child_process.spawn with safer alternatives. Specifically:

1. Use child_process.spawn with separate arguments instead of dynamically constructing the command string.
2. Ensure that all inputs (e.g., binaryToUse, args, and fileName) are properly sanitized or validated before being passed to the spawn function.
3. Replace the child_process.exec call used to resolve binaryToUse with child_process.execFile, which avoids shell interpretation of the command and its arguments.

These changes will ensure that special characters in environment values or user inputs do not alter the behavior of the shell command unexpectedly.

---

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
bugs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 30, 2025 3:13pm
remotion	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 30, 2025 3:13pm

[JonnyBurger]

Thanks!

Does this fix an actual security problem or is it precautionary?
What would the attack vector be?