root 65fd71dc0d fix(workers): yt-dlp argv injection — scheme check + -- separator ...

The url passed to yt-dlp is user-controllable (via /api/capture). Any
string starting with '-' would be parsed as a flag (e.g.
--config-location=/etc/passwd). Mitigations:
1. Validate scheme is http(s) and hostname is present before subprocess.
2. Pass `--` to yt-dlp so it stops flag parsing before the positional
   URL.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-01 10:11:57 +10:00

..

fixtures

feat(workers): extract.pdf with Tesseract fallback

2026-06-01 04:59:53 +10:00

conftest.py

feat(workers): pgboss claim/complete/fail via psycopg

2026-06-01 04:43:26 +10:00

test_boss.py

feat(workers): pgboss claim/complete/fail via psycopg

2026-06-01 04:43:26 +10:00

test_echo.py

feat(workers): runner loop + echo handler

2026-06-01 04:43:52 +10:00

test_image.py

feat(workers): extract.image via Tesseract

2026-06-01 05:00:21 +10:00

test_model.py

feat(workers): whisper loader with CUDA detect + CPU fallback

2026-06-01 10:06:50 +10:00

test_pdf.py

feat(workers): extract.pdf with Tesseract fallback

2026-06-01 04:59:53 +10:00

test_video.py

fix(workers): yt-dlp argv injection — scheme check + -- separator

2026-06-01 10:11:57 +10:00