Security Issues: Command Execution Risks #61
Description
package main
import (
"fmt"
"github.com/pkg/browser"
)
func main() {
url := "calc"
err := browser.OpenURL(url)
if err != nil {
fmt.Println("Error opening URL:", err)
} else {
fmt.Println("URL opened successfully.")
}
}
If a command is passed instead of a URL, the corresponding application will be executed. This means that the intended behavior of only opening a browser can be bypassed, and it could be used to run malicious code.
Therefore, you shouldn't simply use the received URL as-is; instead, you should pass the URL directly to the browser to ensure it is handled safely.
It seems that you need to structure the command like xdg-open [browser path] [URL] on Linux or start [browser path] [URL] on Windows.