From 46086f8bdee8ec5b09dbee21e96cd0a012938313 Mon Sep 17 00:00:00 2001
From: Ishaan Gupta <ishaankone@gmail.com>
Date: Sat, 7 Mar 2026 12:56:48 +0530
Subject: [PATCH] Fix command injection risk in openBrowser

---
 src/lib/auth.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/lib/auth.js b/src/lib/auth.js
index bc2168c..411ae03 100644
--- a/src/lib/auth.js
+++ b/src/lib/auth.js
@@ -49,6 +49,17 @@ function clearCredentials() {
 }
 
 function openBrowser(url) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+    if (!['http:', 'https:'].includes(parsedUrl.protocol)) {
+      console.warn('Failed to open browser: Invalid URL protocol');
+      return;
+    }
+  } catch {
+    console.warn('Failed to open browser: Invalid URL');
+    return;
+  }
   const onError = (err) => {
     if (err) console.warn('Failed to open browser:', err.message);
   };