CVE-2023-39015: There's a code injection vulnerability of `us.codecraft.webmagic.downloader.PhantomJSDownloader` · Issue #1122 · code4craft/webmagic

Affected Version
The latest version 0.9.0 and below.

Describe the vulnerability
there is a method, us.codecraft.webmagic.downloader.PhantomJSDownloader.download(Request, Task), designed to download a page from a request. However, passing an unchecked argument to PhantomJSDownloader constructor can lead to the execution of arbitrary commands. For instance, on Windows, new PhantomJSDownloader("cmd /c "for /l %i in (1, 1, 10) do calc"", “”) would open ten calculators.

PhantomJSDownloader downloader = new PhantomJSDownloader("cmd /c \"for /l %i in (1, 1, 10) do calc\"", "");
Request request = new Request();
downloader.download(request, null);

To Reproduce
Just execute above codes would reproduce it.

Fix Suggestion
First, I strongly recommend that you can simply remove PhantomJSDownloader.java and all codes related to it in the project, because PhantomJS is no longer maintained 5 years ago, namely since Mar 4, 2018 (See ariya/phantomjs#15344). Or, you can check parameter phantomJsCommand strictly. For example, you can write codes to check whether phantomJsCommand is a phantomjs executable.