validate rejects inputs that are unsafe to hand to the platform "open" helper (open, xdg-open, rundll32). Those helpers receive the URL as a positional argument, so a value beginning with "-" would be parsed as a command-line flag rather than a URL (argument injection). This matters now that URLs ca
(raw string)
| 53 | // "docker-desktop://" — since restricting to http(s) would defeat deep-link |
| 54 | // use cases. |
| 55 | func validate(raw string) error { |
| 56 | if raw == "" { |
| 57 | return errors.New("empty URL") |
| 58 | } |
| 59 | if strings.HasPrefix(raw, "-") { |
| 60 | return fmt.Errorf("refusing to open URL that looks like a command-line flag: %q", raw) |
| 61 | } |
| 62 | u, err := url.Parse(raw) |
| 63 | if err != nil { |
| 64 | return fmt.Errorf("invalid URL %q: %w", raw, err) |
| 65 | } |
| 66 | if u.Scheme == "" { |
| 67 | return fmt.Errorf("URL must include a scheme (e.g. https://): %q", raw) |
| 68 | } |
| 69 | return nil |
| 70 | } |