git-watchtower 1.11.0 → 1.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/utils/browser.js +25 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "git-watchtower",
3
- "version": "1.11.0",
3
+ "version": "1.11.1",
4
4
  "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
5
5
  "main": "bin/git-watchtower.js",
6
6
  "bin": {
package/src/utils/browser.js CHANGED
@@ -5,6 +5,22 @@
5
5
 
6
6
  const { execFile } = require('child_process');
7
7
 
8
+ /**
9
+ * Validate that a string is a safe URL to pass to OS open commands.
10
+ * Rejects URLs containing shell metacharacters that could lead to
11
+ * command injection when passed through cmd.exe on Windows.
12
+ * @param {string} url
13
+ * @returns {boolean}
14
+ */
15
+ function isSafeUrl(url) {
16
+ if (!url || typeof url !== 'string') return false;
17
+ // Must start with http://, https://, or file://
18
+ if (!/^https?:\/\/|^file:\/\//i.test(url)) return false;
19
+ // Reject shell metacharacters that cmd.exe would interpret
20
+ if (/[&|<>^"!%]/.test(url)) return false;
21
+ return true;
22
+ }
23
+
8
24
  /**
9
25
  * Open a URL in the user's default browser.
10
26
  * Cross-platform: macOS (open), Windows (start), Linux (xdg-open).
@@ -13,6 +29,13 @@ const { execFile } = require('child_process');
13
29
  * @param {function} [onError] - Optional error callback (receives Error)
14
30
  */
15
31
  function openInBrowser(url, onError) {
32
+ if (!isSafeUrl(url)) {
33
+ if (onError) {
34
+ onError(new Error(`Refusing to open unsafe URL: ${url}`));
35
+ }
36
+ return;
37
+ }
38
+
16
39
  const platform = process.platform;
17
40
  let command;
18
41
  let args;
@@ -22,7 +45,7 @@ function openInBrowser(url, onError) {
22
45
  args = [url];
23
46
  } else if (platform === 'win32') {
24
47
  // On Windows, 'start' is a shell built-in, so we must use cmd.exe.
25
- // The URL is passed as a separate argument, not interpolated into a string.
48
+ // URL is validated above to reject shell metacharacters.
26
49
  command = 'cmd.exe';
27
50
  args = ['/c', 'start', '', url];
28
51
  } else {
@@ -37,4 +60,4 @@ function openInBrowser(url, onError) {
37
60
  });
38
61
  }
39
62
 
40
- module.exports = { openInBrowser };
63
+ module.exports = { openInBrowser, isSafeUrl };