Skip to content

fix: prevent RCE in openURLMiddleware via URL sanitization #2758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 9 commits into
base: main
Choose a base branch
from
Open

fix: prevent RCE in openURLMiddleware via URL sanitization #2758

Copilot wants to merge 9 commits into from

Conversation

Copy link

Copilot AI commented Jan 27, 2026
edited by huntie
Loading

Addresses CVE-2025-11953: URLs passed to the /open-url endpoint were forwarded directly to open(), enabling command injection on Windows via shell metacharacters.

Changes

  • Add strict-url-sanitise dependency for security-focused URL validation
  • Sanitize URLs before passing to open(), rejecting malformed or malicious input with HTTP 400
  • Add test coverage for known attack vectors

Test cases

'https://www.$(calc.exe).com/foo'  // Command substitution in hostname
'https://evil.com?|calc.exe'       // Windows pipe separator
'https://example.com/?a=%¾TA%'     // Env var exfiltration (%BETA%)
Original prompt

Reattempt #2735 using the strict-url-sanitise npm package. Parsing errors should be surfaced on the HTTP endpoint and fail.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 27, 2026 21:01
@huntie
fix: use strict-url-sanitise to prevent RCE vulnerability (CVE-2025-1…
353763c 
…1953)

Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
@huntie
refactor: cache sanitizeUrl to improve performance
5f5105b 
Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title [WIP] Reattempt URL sanitisation using strict-url-sanitise package fix: use strict-url-sanitise to prevent RCE in openURLMiddleware Jan 27, 2026
Copilot AI requested a review from huntie January 27, 2026 21:06
Copilot AI and others added 2 commits January 27, 2026 21:11
@huntie
simplify: use "Invalid URL" error message, remove strict-url-sanitise…
f8a1ff0 
… mock

Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
@huntie
style: replace it() with test() in openURLMiddleware tests
08bba3f 
Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title fix: use strict-url-sanitise to prevent RCE in openURLMiddleware fix: prevent RCE via URL sanitization in openURLMiddleware Jan 27, 2026
@huntie
refactor: use ordinary import for strict-url-sanitise
a340aff 
Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title fix: prevent RCE via URL sanitization in openURLMiddleware fix: prevent RCE in openURLMiddleware using strict-url-sanitise Jan 27, 2026
@huntie
refactor: remove named export of openURLMiddleware, test default export
9cdcd7a 
Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title fix: prevent RCE in openURLMiddleware using strict-url-sanitise fix: prevent RCE in openURLMiddleware via URL sanitization Jan 27, 2026
@huntie
test: add CVE-2025-11953 test cases for Windows pipe and command exfi…
32fdc76 
…ltration

Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title fix: prevent RCE in openURLMiddleware via URL sanitization fix: prevent RCE in openURLMiddleware via strict URL sanitization Jan 27, 2026
@huntie
test: add CVE-2025-11953 comment above second test case
d4f2711 
Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>
Copilot AI changed the title fix: prevent RCE in openURLMiddleware via strict URL sanitization fix: prevent RCE in openURLMiddleware via URL sanitization Jan 27, 2026
@huntie huntie mentioned this pull request Jan 27, 2026
Open
@huntie huntie marked this pull request as ready for review January 27, 2026 22:05
@huntie huntie requested a review from thymikee as a code owner January 27, 2026 22:05
@huntie
Copy link
Collaborator

huntie commented Jan 27, 2026
edited
Loading

@thymikee Ready for review. This is a heavily steered Copilot diff!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@huntie huntie Awaiting requested review from huntie

@thymikee thymikee Awaiting requested review from thymikee thymikee is a code owner

Assignees

@huntie huntie

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@huntie