You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: packages/opencode/src/cli/cmd/github.ts:330-337 uses exec() with string interpolation to open URLs in the browser. Since exec() spawns a shell, any shell metacharacters in the URL would be interpreted, enabling OS command injection. CWE: CWE-78 Severity: Medium (currently hardcoded URL, but pattern is unsafe if URL becomes dynamic) Reproduction: See POC test in PR
Bug Report
Description:
packages/opencode/src/cli/cmd/github.ts:330-337usesexec()with string interpolation to open URLs in the browser. Sinceexec()spawns a shell, any shell metacharacters in the URL would be interpreted, enabling OS command injection.CWE: CWE-78
Severity: Medium (currently hardcoded URL, but pattern is unsafe if URL becomes dynamic)
Reproduction: See POC test in PR