browser icon indicating copy to clipboard operation
browser copied to clipboard
verified publisher icon pkg

Security Issues: Command Execution Risks

Open mingijunggrape opened this issue 5 months ago • 0 comments 

package main

import (
	"fmt"
	"github.com/pkg/browser"
)

func main() {
	url := "calc"
	err := browser.OpenURL(url)
	if err != nil {
		fmt.Println("Error opening URL:", err)
	} else {
		fmt.Println("URL opened successfully.")
	}
}

If a command is passed instead of a URL, the corresponding application will be executed. This means that the intended behavior of only opening a browser can be bypassed, and it could be used to run malicious code.

Therefore, you shouldn't simply use the received URL as-is; instead, you should pass the URL directly to the browser to ensure it is handled safely.

It seems that you need to structure the command like xdg-open [browser path] [URL] on Linux or start [browser path] [URL] on Windows.

mingijunggrape avatar Jul 04 '25 09:07 mingijunggrape