Context
Flagged in PR #35 code review (comment).
Problem
crates/desktop-app/local-server/server.js:100 builds a shell command string and passes it to exec() to open URLs. This is vulnerable to command injection (e.g., $(...) or backticks are evaluated inside double quotes on macOS/Linux).
Proposed Fix
- Use
spawn/execFile with argument arrays (no shell) instead of exec()
- Validate/parse the URL via
new URL(url) before passing to the opener
- Alternatively, use a well-audited opener library (e.g.,
open npm package)
Context
Flagged in PR #35 code review (comment).
Problem
crates/desktop-app/local-server/server.js:100builds a shell command string and passes it toexec()to open URLs. This is vulnerable to command injection (e.g.,$(...)or backticks are evaluated inside double quotes on macOS/Linux).Proposed Fix
spawn/execFilewith argument arrays (no shell) instead ofexec()new URL(url)before passing to the openeropennpm package)