mikael-lovqvists-claude-agent/claude-code-conduit
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Validate URL protocol in open-browser action

Browse Source 
Parse the URL and reject anything that isn't http/https before passing
to xdg-open, blocking file://, javascript:// and other schemes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
mikael-lovqvists-claude-agent
2026-03-07 20:36:26 +00:00
parent b83ae686c4
commit 0568026e7c
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/actions.mjs
View File

@@ -48,8 +48,12 @@ export const actions = {
params: [{ name: "url", required: true, type: "string" }], params: [{ name: "url", required: true, type: "string" }],
policy: "queue", policy: "queue",
handler: async ({ url }) => { handler: async ({ url }) => {
await exec("xdg-open", [url]); const parsed = new URL(url);
return { opened: url }; if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
throw new Error(`Disallowed protocol: ${parsed.protocol}`);
}
await exec('xdg-open', [parsed.href]);
return { opened: parsed.href };
}, },
}, },