Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Summary

A vulnerability was found in Gotenberg versions prior to 8.31.0. The metadata value sanitization introduced in 8.30.1 (commit 405f106) only validates metadata KEYS via "safeKeyPattern" regex. Metadata VALUES are passed unsanitized to "go-exiftool SetString()", which writes them as "fmt.Fprintln(e.stdin, "-"+k+"="+str)". A newline (\n) in a value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as "-FileName", "-Directory", "-SymLink", "-HardLink". Docker-verified: HTTP 404 returned (file moved), "/tmp/inject_proof" created in container. This is a bypass of the incomplete fix in 8.30.1.