linear[bot]
commented
7 months ago WS-2623 Validate URLs before opening
See Hacker One [report](https://hackerone.com/reports/2355382) and relevant [guide](https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8). We should not open links that are not https and should add some extra validation here on the protocol handler side.
Why
See H1 Report. We should validate that any externally opened URLs are http/https since otherwise a malicious or malformed URL could open another app on the users machine with that protocol registered which may cause unwanted code to be executed.
Fixes WS-2623
What changed
Validate external URLs are http(s) before opening externally
Test plan