There's a code injection vulnerability of `us.codecraft.webmagic.downloader.PhantomJSDownloader`

[LetianYuan]

Affected Version The latest version 0.9.0 and below.

Describe the vulnerability there is a method, us.codecraft.webmagic.downloader.PhantomJSDownloader.download(Request, Task), designed to download a page from a request. However, passing an unchecked argument to PhantomJSDownloader constructor can lead to the execution of arbitrary commands. For instance, on Windows, new PhantomJSDownloader("cmd /c \"for /l %i in (1, 1, 10) do calc\"", "") would open ten calculators.

PhantomJSDownloader downloader = new PhantomJSDownloader("cmd /c \"for /l %i in (1, 1, 10) do calc\"", "");
Request request = new Request();
downloader.download(request, null);

To Reproduce Just execute above codes would reproduce it.

Fix Suggestion First, I strongly recommend that you can simply remove PhantomJSDownloader.java and all codes related to it in the project, because PhantomJS is no longer maintained 5 years ago, namely since Mar 4, 2018 (See https://github.com/ariya/phantomjs/issues/15344). Or, you can check parameter phantomJsCommand strictly. For example, you can write codes to check whether phantomJsCommand is a phantomjs executable.