fix(desktop): allowlist URL schemes before shell.openExternal

apps/desktop/src/lib/trpc/routers/external/index.ts

@@ -9,6 +9,7 @@ import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
 import { clipboard, shell } from "electron";
 import { localDb } from "main/lib/local-db";
+import { externalUrlLogLabel, isSafeExternalUrl } from "main/lib/safe-url";
 import { z } from "zod";
 import { publicProcedure, router } from "../..";
 import { getWorkspace } from "../workspaces/utils/db-helpers";
@@ -93,12 +94,26 @@ async function openPathInApp(
 export const createExternalRouter = () => {
 	return router({
 		openUrl: publicProcedure.input(z.string()).mutation(async ({ input }) => {
+			if (!isSafeExternalUrl(input)) {
+				console.warn(
+					"[external/openUrl] Blocked unsafe URL scheme:",
+					externalUrlLogLabel(input),
+				);
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message: "URL scheme not allowed",
+				});
+			}
 			try {
 				await shell.openExternal(input);
 			} catch (error) {
 				const errorMessage =
 					error instanceof Error ? error.message : "Unknown error";
-				console.error("[external/openUrl] Failed to open URL:", input, error);
+				console.error(
+					"[external/openUrl] Failed to open URL:",
+					externalUrlLogLabel(input),
+					error,
+				);
 				throw new TRPCError({
 					code: "INTERNAL_SERVER_ERROR",
 					message: errorMessage,

apps/desktop/src/main/lib/browser/browser-manager.ts

@@ -1,5 +1,6 @@
 import { EventEmitter } from "node:events";
-import { clipboard, Menu, shell, webContents } from "electron";
+import { clipboard, Menu, webContents } from "electron";
+import { safeOpenExternal } from "main/lib/safe-url";
 
 interface ConsoleEntry {
 	level: "log" | "warn" | "error" | "info" | "debug";
@@ -126,7 +127,9 @@ class BrowserManager extends EventEmitter {
 				menuItems.push(
 					{
 						label: "Open Link in Default Browser",
-						click: () => shell.openExternal(linkURL),
+						click: () => {
+							void safeOpenExternal(linkURL);
+						},
 					},
 					{
 						label: "Open Link as New Split",
@@ -194,7 +197,7 @@ class BrowserManager extends EventEmitter {
 						label: "Open Page in Default Browser",
 						click: () => {
 							if (pageURL && pageURL !== "about:blank") {
-								shell.openExternal(pageURL);
+								void safeOpenExternal(pageURL);
 							}
 						},
 						enabled: !!pageURL && pageURL !== "about:blank",

apps/desktop/src/main/lib/safe-url/index.ts

@@ -0,0 +1,5 @@
+export {
+	externalUrlLogLabel,
+	isSafeExternalUrl,
+	safeOpenExternal,
+} from "./safe-url";

apps/desktop/src/main/lib/safe-url/safe-url.test.ts

@@ -0,0 +1,46 @@
+import { describe, expect, it } from "bun:test";
+import { externalUrlLogLabel, isSafeExternalUrl } from "./safe-url";
+
+describe("isSafeExternalUrl", () => {
+	it("allows http, https, and mailto URLs", () => {
+		expect(isSafeExternalUrl("http://example.com")).toBe(true);
+		expect(isSafeExternalUrl("https://example.com/path?q=1")).toBe(true);
+		expect(isSafeExternalUrl("mailto:user@example.com")).toBe(true);
+		expect(isSafeExternalUrl("HTTPS://EXAMPLE.COM")).toBe(true);
+	});
+
+	it("blocks file, javascript, data, and custom-scheme URLs", () => {
+		expect(
+			isSafeExternalUrl("file:///System/Applications/Calculator.app"),
+		).toBe(false);
+		expect(isSafeExternalUrl("file:///etc/passwd")).toBe(false);
+		expect(isSafeExternalUrl("javascript:alert(1)")).toBe(false);
+		expect(isSafeExternalUrl("data:text/html,<script>alert(1)</script>")).toBe(
+			false,
+		);
+		expect(isSafeExternalUrl("vscode://open?url=evil")).toBe(false);
+		expect(isSafeExternalUrl("ssh://user@host")).toBe(false);
+		expect(isSafeExternalUrl("ftp://example.com")).toBe(false);
+	});
+
+	it("blocks malformed input", () => {
+		expect(isSafeExternalUrl("")).toBe(false);
+		expect(isSafeExternalUrl("not a url")).toBe(false);
+		expect(isSafeExternalUrl("/etc/passwd")).toBe(false);
+	});
+});
+
+describe("externalUrlLogLabel", () => {
+	it("returns only the scheme, never the full URL", () => {
+		expect(externalUrlLogLabel("https://example.com/path?token=secret")).toBe(
+			"https:",
+		);
+		expect(externalUrlLogLabel("file:///etc/passwd")).toBe("file:");
+		expect(externalUrlLogLabel("mailto:user@example.com")).toBe("mailto:");
+	});
+
+	it("returns sentinels for empty and malformed input", () => {
+		expect(externalUrlLogLabel("")).toBe("empty");
+		expect(externalUrlLogLabel("not a url")).toBe("malformed");
+	});
+});

apps/desktop/src/main/lib/safe-url/safe-url.ts

@@ -0,0 +1,53 @@
+import { shell } from "electron";
+
+/**
+ * Schemes safe to hand to Electron's `shell.openExternal`.
+ * Anything else (file:, javascript:, custom handlers, etc.) can execute
+ * binaries or scripts via the OS URL handler registry.
+ */
+const ALLOWED_SCHEMES = new Set(["http:", "https:", "mailto:"]);
+
+export function isSafeExternalUrl(url: string): boolean {
+	if (typeof url !== "string" || url.length === 0) return false;
+	try {
+		return ALLOWED_SCHEMES.has(new URL(url).protocol);
+	} catch {
+		return false;
+	}
+}
+
+export function externalUrlLogLabel(url: string): string {
+	if (typeof url !== "string" || url.length === 0) return "empty";
+	try {
+		return new URL(url).protocol || "unknown:";
+	} catch {
+		return "malformed";
+	}
+}
+
+/**
+ * Wraps `shell.openExternal` with a scheme allowlist. Returns false and
+ * refuses to dispatch when the URL is not http(s)/mailto. Catches
+ * `shell.openExternal` rejections so callers can fire-and-forget without
+ * risking an unhandled rejection in the Electron main process.
+ */
+export async function safeOpenExternal(url: string): Promise<boolean> {
+	if (!isSafeExternalUrl(url)) {
+		console.warn(
+			"[safeOpenExternal] blocked unsafe URL scheme:",
+			externalUrlLogLabel(url),
+		);
+		return false;
+	}
+	try {
+		await shell.openExternal(url);
+		return true;
+	} catch (error) {
+		console.error(
+			"[safeOpenExternal] openExternal failed:",
+			externalUrlLogLabel(url),
+			error,
+		);
+		return false;
+	}
+}