FFmpeg Security Best Practices for Cloud APIs
Rendobar

FFmpeg Security Best Practices for Cloud APIs

How to run FFmpeg safely in cloud environments. Covers protocol restrictions, command sanitization, container isolation, and Rendobar's 8-layer security model.

Running FFmpeg in a cloud API introduces serious security risks that most teams underestimate. FFmpeg is a powerful tool that can read and write to arbitrary network endpoints, access local filesystems, and execute complex filter graphs — all of which make it a prime vector for server-side request forgery (SSRF), data exfiltration, and denial-of-service attacks when exposed to untrusted input.

Why is FFmpeg dangerous in cloud environments?

FFmpeg was designed as a local command-line tool. It assumes the operator is trusted. When you wrap it in an API and let external users supply commands or parameters, you inherit every capability FFmpeg has — including ones you did not intend to expose.

The core problem is that FFmpeg supports dozens of protocols beyond simple file access. By default, it can fetch resources over HTTP, HTTPS, FTP, RTMP, RTSP, TCP, UDP, and many more. A user submitting a job to your API could craft an input URL that forces FFmpeg to make requests to your internal network, read files from the host filesystem, or stream data to an external server.

This is not theoretical. SSRF through media processing tools is a well-documented attack class. If your API runs FFmpeg with user-supplied input URLs on a server that has access to internal services, metadata endpoints, or databases, you have a problem.

What attacks are possible through FFmpeg?

Several attack vectors are specific to FFmpeg in cloud environments.

Server-Side Request Forgery (SSRF). An attacker submits a job with an input URL pointing to an internal service:

# Attacker submits this as the source URL
ffmpeg -i http://169.254.169.254/latest/meta-data/iam/security-credentials/ -f null -

If FFmpeg is running inside AWS, GCP, or any cloud provider, this could leak IAM credentials, service account tokens, or other metadata. The same applies to internal service discovery endpoints, databases listening on localhost, or admin panels on private IPs.

Protocol abuse. FFmpeg supports protocols that can be weaponized:

# Read local files via the file protocol
ffmpeg -i file:///etc/passwd -f null -

# Connect to arbitrary TCP endpoints
ffmpeg -i tcp://internal-redis:6379 -f null -

# Use the concat protocol to chain multiple reads
ffmpeg -i "concat:file:///etc/shadow|file:///etc/passwd" -f null -

Overriding protocol restrictions. If your application injects protocol restrictions but the user can supply arbitrary flags, they can undo your protections:

# User overrides your protocol whitelist
ffmpeg -protocol_whitelist "file,http,https,tcp,udp" -i http://internal-service/secret -f null -

Resource exhaustion. FFmpeg can be directed to decode pathologically complex streams, allocate unbounded memory, or run indefinitely without producing output. Without timeout guards and resource limits, a single malicious job can take down your processing fleet.

Environment variable leakage. FFmpeg inherits the process environment. If your API server has database credentials, API keys, or secrets in environment variables, FFmpeg (and any filters that spawn subprocesses) can access them.

How does protocol whitelisting work?

Protocol whitelisting is the most important single defense. It restricts which protocols FFmpeg is allowed to use for each input, preventing it from making network requests at runtime.

The mechanism is the -protocol_whitelist flag, applied before each -i input:

# Restricted: only allow local file access for this input
ffmpeg -protocol_whitelist file -i /tmp/job_abc/input.mp4 -c:v libx264 output.mp4

With this restriction, FFmpeg cannot fetch HTTP URLs, connect to TCP sockets, or use any other protocol for that specific input. Even if the input path is somehow crafted to look like a URL, FFmpeg will refuse to resolve it through any protocol other than file.

This is most effective when applied at the executor level, not at the API level. The API accepts HTTPS URLs from users, downloads the files to local storage, and then passes local file paths to FFmpeg with protocol restrictions. This separation means FFmpeg never directly touches user-supplied URLs.

At Rendobar, every input is downloaded to an ephemeral working directory before FFmpeg runs. The executor then injects -protocol_whitelist file before each -i flag automatically, regardless of what the user submitted. This happens in code:

function injectProtocolRestrictions(args: string[]): string[] {
  const result: string[] = [];
  for (let i = 0; i < args.length; i++) {
    if (args[i] === "-i") {
      result.push("-protocol_whitelist", "file");
    }
    result.push(args[i]);
  }
  return result;
}

This injection is transparent to the user and cannot be overridden because the sanitizer blocks user-supplied -protocol_whitelist and -protocol_blacklist flags before the command ever reaches the executor.

What is command sanitization?

Command sanitization is the process of parsing, validating, and rewriting user-supplied FFmpeg commands before execution. It serves two purposes: extracting structured data from the command (like input URLs and output format) and blocking flags that would undermine other security layers.

A good sanitizer is not a blocklist of “dangerous” flags. FFmpeg has hundreds of flags, and trying to enumerate all dangerous ones is a losing game. Instead, the sanitizer should focus on a small set of flags that specifically undermine the security architecture.

Rendobar’s FFmpeg as a Service feature accepts raw FFmpeg commands from users. The sanitizer does the following:

  1. Parses the command string into an argument array, handling quoted strings and escapes
  2. Strips the leading ffmpeg binary name if present
  3. Extracts input URLs from -i positions and replaces them with local file placeholders
  4. Detects the output format from the trailing filename
  5. Blocks -protocol_whitelist and -protocol_blacklist flags

The sanitizer explicitly does not try to block arbitrary flags, filter expressions, or codec options. That would break legitimate use cases and create a maintenance burden as FFmpeg evolves. Instead, it blocks only the two flags that can override protocol restrictions, and relies on container isolation to handle everything else.

const BLOCKED_FLAGS = new Set([
  "-protocol_whitelist",
  "-protocol_blacklist",
]);

This is defense-in-depth. Even if the sanitizer were bypassed, the executor independently injects protocol restrictions. Even if both were bypassed, the container has no network access and no secrets to leak. Each layer independently prevents a class of attacks.

How does container isolation protect you?

Container isolation is the foundation of the security model. Every FFmpeg job runs in an ephemeral container that is created for the job and destroyed after it completes. The container has no persistent state, no access to other jobs, and a restricted environment.

Key properties of effective container isolation for FFmpeg:

Ephemeral lifecycle. The container is created when the job starts and destroyed when it finishes. There is no opportunity for an attacker to persist malware, modify the filesystem for future jobs, or establish a long-lived connection to an external server. If FFmpeg writes something malicious to disk, it is gone when the container is torn down.

Clean process environment. The container should not inherit the host’s environment variables. FFmpeg and its subprocesses should only see the minimum variables needed to function:

function buildCleanEnv(): Record<string, string> {
  return {
    PATH: "/usr/local/bin:/usr/bin:/bin",
    HOME: "/tmp",
    TMPDIR: "/tmp",
  };
}

This prevents FFmpeg from accessing API keys, database credentials, cloud provider tokens, or any other secrets that might be present in the host environment.

stdio restriction. FFmpeg’s stdin should be closed (preventing interactive input), stdout can be ignored (most FFmpeg output goes to stderr), and stderr should be captured for logging but not exposed to the user in full (which could leak filesystem paths or internal configuration):

spawn("ffmpeg", args, {
  stdio: ["ignore", "ignore", "pipe"],
  env: buildCleanEnv(),
});

Timeout enforcement. Every job must have a maximum execution time. Without this, an attacker could submit a job that runs indefinitely, consuming resources and preventing other jobs from executing. Timeouts should be enforced both at the process level (SIGTERM/SIGKILL) and at the orchestration level.

What does Rendobar’s security model look like?

Rendobar’s FFmpeg as a Service runs user-supplied FFmpeg commands through an 8-layer security model. Each layer independently prevents a class of attacks, so a failure in any single layer does not compromise the system.

Layer 1: Input URL validation. The API only accepts HTTPS source URLs. HTTP, FTP, and other protocols are rejected at the API boundary before any processing begins. This prevents the most basic SSRF attempts from ever reaching the executor.

Layer 2: Command sanitization. User-supplied FFmpeg commands are parsed and validated. The sanitizer extracts input URLs (replacing them with local file placeholders), detects the output format, and blocks -protocol_whitelist and -protocol_blacklist flags. All other flags, filters, and codecs are allowed — the container handles those threats.

Layer 3: Per-input protocol restriction. The executor injects -protocol_whitelist file before each -i flag in the command. This restricts FFmpeg to only reading local files, regardless of what the user submitted. Even if a user somehow embedded a URL in a filter expression, FFmpeg cannot resolve it through network protocols.

Layer 4: Clean process environment. The FFmpeg subprocess receives only PATH, HOME, and TMPDIR. All other environment variables from the host process are stripped. This prevents secrets, API keys, cloud credentials, and configuration values from being accessible to FFmpeg or any subprocess it spawns.

Layer 5: Container isolation. Every job runs in a dedicated Trigger.dev container that is isolated from other jobs and from the host infrastructure. The container has no persistent storage, no access to internal services, and no shared state with other containers.

Layer 6: Timeout guards. Each job has a maximum execution time configured per plan (5 minutes on the Free plan, 15 minutes on Pro). The process is terminated with SIGTERM if it exceeds the timeout, preventing resource exhaustion and infinite-loop attacks.

Layer 7: stdio restriction. FFmpeg runs with stdin closed (ignore), stdout closed (ignore), and only stderr piped for progress monitoring. This prevents FFmpeg from reading interactive input or writing to unexpected file descriptors.

Layer 8: Ephemeral teardown. After the job completes (or fails, or times out), the container is destroyed. All files, processes, and network connections created during the job are eliminated. There is no opportunity for persistence or cross-job contamination.

How does this compare to running FFmpeg yourself?

If you run FFmpeg on your own infrastructure, you are responsible for implementing every one of these layers. Most teams implement some of them (usually input validation and maybe timeouts) but miss others (environment isolation, protocol restrictions, stdio control).

The Rendobar API abstracts all of this. You submit a job with a source URL and parameters, and the platform handles downloading, security, execution, and cleanup. For the raw FFmpeg job type, you can submit arbitrary FFmpeg commands and the 8-layer model ensures they execute safely.

A simple API call replaces hundreds of lines of security infrastructure:

curl -X POST https://api.rendobar.com/jobs \
  -H "Authorization: Bearer rb_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "raw.ffmpeg",
    "input": { "source": "https://example.com/video.mp4" },
    "params": {
      "command": "-i source -vf scale=1280:720 -c:v libx264 -preset fast output.mp4"
    }
  }'

The API validates the command, downloads the input over HTTPS, executes FFmpeg in an isolated container with all 8 security layers active, uploads the output to cloud storage, and returns a signed download URL. You never touch FFmpeg directly, and you never need to worry about protocol restrictions, environment leakage, or container configuration.

What should you do if you must self-host FFmpeg?

If you cannot use a managed service and must run FFmpeg yourself, here is the minimum security checklist:

  1. Never pass user-supplied URLs directly to FFmpeg. Download inputs to local storage first, then use local file paths with -protocol_whitelist file.
  2. Block -protocol_whitelist and -protocol_blacklist in user input. These flags allow users to override your protocol restrictions.
  3. Strip the process environment. Forward only PATH, HOME, and TMPDIR to the FFmpeg subprocess.
  4. Run in ephemeral containers. Use Docker, Firecracker, or a similar isolation technology. Destroy the container after each job.
  5. Enforce timeouts. Kill the process after a maximum duration. Use both process-level signals and orchestration-level timeouts.
  6. Restrict stdio. Close stdin and stdout. Pipe only stderr for monitoring.
  7. Validate input URLs at the API layer. Accept only HTTPS. Reject private IP ranges, localhost, and link-local addresses.
  8. Log and audit. Record the full command (with secrets redacted), execution time, exit code, and stderr summary for every job.

These are the basics. For production workloads, consider also running FFmpeg as a non-root user, mounting the working directory as a tmpfs (to prevent disk exhaustion), limiting CPU and memory via cgroups, and rate-limiting job submissions per user.

Further reading