From 9f7fd6b34120454580eafbdfdb28b631af6ce517 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 22 Mar 2026 23:12:50 +0000
Subject: [PATCH] Fix FFmpeg command injection in watermark engine

Co-authored-by: Cukurikik <266119688+Cukurikik@users.noreply.github.com>
---
 src/modules/video-engine/engines/watermark.engine.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/modules/video-engine/engines/watermark.engine.ts b/src/modules/video-engine/engines/watermark.engine.ts
index 74db72cc..3d20c995 100644
--- a/src/modules/video-engine/engines/watermark.engine.ts
+++ b/src/modules/video-engine/engines/watermark.engine.ts
@@ -1,7 +1,14 @@
 import type { FFmpeg } from "@ffmpeg/ffmpeg";
 export interface WatermarkOptions { [key: string]: unknown; }
 export async function buildWatermarkArgs(input: string, output: string, opts: WatermarkOptions, ffmpeg?: FFmpeg, files?: File[]): Promise<string[]> {
-  const text = (opts.text as string) || "HEAVY-TOOLS";
+  let text = (opts.text as string) || "HEAVY-TOOLS";
+
+  // Sanitize input for FFmpeg drawtext filter injection
+  text = text
+    .replace(/\\/g, '\\\\')
+    .replace(/:/g, '\\:')
+    .replace(/'/g, "'\\''");
+
   const posX = (opts.posX as string) || "10";
   const posY = (opts.posY as string) || "10";
   const fontSize = (opts.fontSize as number) || 24;