security code fix -RCE

[R-Sudharshan]

Title: Security Vulnerability: Unrestricted File Extension leading to Potential Remote Code Execution (RCE) via Malicious Source Data

Description: While reviewing the download implementation in mkbsd.js and mkbsd.py, I discovered that the scripts determine the file extension by directly extracting it from the remote image URL provided by the JSON data API.

If an attacker were able to manipulate the source JSON data—via a Man-in-the-Middle (MitM) attack, DNS hijacking, or a backend compromise—they could replace the image URLs with links to malicious executable files (e.g., .exe, .bat, .sh). The script will happily download these and save them with the executable extension intact (e.g., 1.bat). Since the user specifically runs this script to download media files they intend to open and view, inadvertently clicking on a downloaded executable leads to high-risk Remote Code Execution.

Steps to Reproduce (Local PoC):

Set up a local HTTP server hosting a JSON payload with a .bat file link: "dhd": "http://127.0.0.1:8000/malware.bat"
Point the url variable in mkbsd.py to this local JSON file.
Run the script. The folder is populated with 1.bat instead of standard image formats.
Impact: High. If the data source API is compromised, attackers can distribute malware disguised as numeric wallpapers to all users running this script.

Suggested Fix: Enforce strict validation on the downloaded extensions. Validate the inferred extension against a whitelist of expected media extensions (e.g., ['.jpg', '.jpeg', '.png', '.webp']). If an unexpected extension is found, the script should skip the file or abort.

Example for Python:

python
ALLOWED_EXTS = {'.jpg', '.png', '.jpeg', '.webp'}
ext = os.path.splitext(parsed_url.path)[-1].lower()
if ext not in ALLOWED_EXTS:
print(f"Skipping potentially unsafe file extension: {ext}")
continue
filename = f"{file_index}{ext}"

Note: Also the api url has expired it seems..check on it too !!