Skip to content

Search for xdg-open in locations outside of PATH #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 13, 2025
Merged

Search for xdg-open in locations outside of PATH #84

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e438247
Search for xdg-open in locations outside of PATH
tstromberg Nov 13, 2025
6dd7fae
be more paranoid about URL handling
tstromberg Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions cmd/goose/ui.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,21 @@ func openURL(ctx context.Context, rawURL string, gooseParam string) error {
slog.Debug("Executing command", "command", "rundll32.exe url.dll,FileProtocolHandler", "url", rawURL)
cmd = exec.CommandContext(ctx, "rundll32.exe", "url.dll,FileProtocolHandler", rawURL)
default:
// Use xdg-open with full path for Linux and other Unix-like systems
slog.Debug("Executing command", "command", "/usr/bin/xdg-open", "url", rawURL)
cmd = exec.CommandContext(ctx, "/usr/bin/xdg-open", rawURL)
// Use xdg-open for Linux, FreeBSD, and other Unix-like systems
// Check PATH first, then common locations
paths := []string{"xdg-open", "/usr/local/bin/xdg-open", "/usr/bin/xdg-open", "/usr/pkg/bin/xdg-open", "/opt/local/bin/xdg-open"}
var xdgOpenPath string
for _, p := range paths {
if path, err := exec.LookPath(p); err == nil {
xdgOpenPath = path
break
}
}
if xdgOpenPath == "" {
return errors.New("xdg-open not found")
}
slog.Debug("Executing command", "command", xdgOpenPath, "url", rawURL)
cmd = exec.CommandContext(ctx, xdgOpenPath, rawURL)
Copy link

@kusari-inspector kusari-inspector bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Add URL validation and sanitization before executing the command. Parse and validate the URL to ensure it's properly formatted and doesn't contain shell metacharacters that could be exploited for command injection.

Recommended Code Changes:

// Validate and parse the URL before execution
parsedURL, err := url.Parse(rawURL)
if err != nil {
    return fmt.Errorf("invalid URL: %w", err)
}
// Ensure the URL scheme is safe (http/https)
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
    return errors.New("unsupported URL scheme")
}
// Use the cleaned URL string
cleanURL := parsedURL.String()
cmd = exec.CommandContext(ctx, xdgOpenPath, cleanURL)

}

if err := cmd.Start(); err != nil {
Expand Down