Skip to content

API: /open-uri passes an unvalidated URI to xdg-open, bypassing the guard /open-path enforces #37

Description

@I4cTime

Summary

/open-path validates its input via validate_user_path (restricting to user-writable roots), but the adjacent /open-uri hands a bare string straight to xdg-open, defeating that restriction.

Location

src/game_setup_hub/api/routes/utility.py:257-267; OpenUriRequest.uri (_models.py:217-218) is an unvalidated str.

Evidence

@router.post("/open-uri")
async def open_uri(body: OpenUriRequest) -> StatusResponse:
    subprocess.Popen(["xdg-open", body.uri], start_new_session=True)

Failure scenario

A caller holding the token POSTs {"uri":"file:///home/user/.ssh/"} (or an arbitrary registered-scheme URI) -> xdg-open launches the associated handler on a target /open-path would have rejected.

Fix

Validate the scheme against an allowlist (e.g. steam:, https:) and reject file://, or route file targets through validate_user_path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: backendPython backend / APIbugSomething isn't workingsecuritySecurity hardening or vulnerabilityseverity: mediumMedium severity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions