ContextualWisdomLab · seonghobae · Jun 10, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-24 - Command Injection via Unsanitized URL
+ **Vulnerability:** Unsanitized URL was passed directly to the `child_process.exec()` function in `packages/cli/src/lib/auth-flow.ts`, opening the application up to potential command injection.
+ **Learning:** Never pass unsanitized user inputs to functions that execute shell commands like `exec`. Using `child_process.execFile` or dedicated packages like `open` is safer.
+ **Prevention:** Use secure alternatives for launching files or URLs. In this case, use the `open` library, which safely opens files or URLs using the operating system's default applications.
diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -23,6 +23,7 @@
     "@inquirer/prompts": "^7",
     "chalk": "^5",
     "commander": "^12",
+    "open": "^11.0.0",
     "ora": "^8"
   },
   "devDependencies": {

diff --git a/packages/cli/src/lib/auth-flow.ts b/packages/cli/src/lib/auth-flow.ts
@@ -1,15 +1,11 @@
-import { exec } from 'child_process'
+import open from 'open'
 import chalk from 'chalk'
 import ora from 'ora'
 import type { User, LoginResponse } from '@argos/shared'
 import { apiRequest } from './api-client.js'
 
 function openBrowser(url: string): void {
-  const cmd =
-    process.platform === 'darwin' ? 'open' :
-    process.platform === 'win32' ? 'start ""' :
-    'xdg-open'
-  exec(`${cmd} "${url}"`)
+  open(url).catch(() => {})
 }
 
 /**

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml