fix: runprocessfunction in RunProcessFunction.java

[orbisai0security]

Summary

Fix high severity security issue in src/main/java/net/bramp/ffmpeg/RunProcessFunction.java.

Vulnerability

Field	Value
ID	V-001
Severity	HIGH
Scanner	multi_agent_ai
Rule	V-001
File	src/main/java/net/bramp/ffmpeg/RunProcessFunction.java:32

Description: RunProcessFunction.java passes an args list directly to ProcessBuilder without validating individual argument values for FFmpeg-specific protocol specifiers or unsafe input patterns. Because ProcessBuilder uses array-form invocation (no shell), classic OS shell injection (e.g., '; rm -rf /') is not exploitable. However, if user-supplied filenames are included in the args list without validation, an attacker can inject FFmpeg protocol specifiers such as 'http://attacker.com/malicious.m3u8', 'data://text/plain;base64,...', 'pipe:', or 'rtmp:' to cause FFmpeg to fetch remote content, access unintended resources, or trigger unexpected FFmpeg behaviors. The vulnerability exists at the FFmpegBuilder argument construction layer where user input is incorporated into the args array.

Changes

• src/main/java/net/bramp/ffmpeg/RunProcessFunction.java

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security