Address code review feedback - improve security validations

Co-authored-by: Kvarkas <3611964+Kvarkas@users.noreply.github.com>
2026-02-26 12:08:37 +08:00 · 2025-12-08 13:08:50 +00:00
parent 843243c75e
commit 208ce663b2
3 changed files with 23 additions and 7 deletions
--- a/mRemoteNG/Connection/Protocol/AnyDesk/ProtocolAnyDesk.cs
+++ b/mRemoteNG/Connection/Protocol/AnyDesk/ProtocolAnyDesk.cs
@@ -221,7 +221,7 @@ namespace mRemoteNG.Connection.Protocol.AnyDesk
                    return false;
                }
                
-                string arguments = $"{anydeskId}";
+                string arguments = anydeskId;

                // Add --with-password flag if password is provided
                bool hasPassword = !string.IsNullOrEmpty(_connectionInfo.Password);
--- a/mRemoteNG/UI/Forms/FrmAbout.cs
+++ b/mRemoteNG/UI/Forms/FrmAbout.cs
@@ -1,6 +1,8 @@
 using System.Diagnostics;
 using System.Windows.Forms;
+using mRemoteNG.App;
 using mRemoteNG.App.Info;
+using mRemoteNG.Messages;
 using mRemoteNG.Themes;
 using mRemoteNG.Resources.Language;
 using System.Reflection;
@@ -77,6 +79,19 @@ namespace mRemoteNG.UI.Forms

        private void OpenUrl(string url)
        {
+            // Validate URL format to prevent injection
+            if (string.IsNullOrWhiteSpace(url))
+                return;
+            
+            // Basic URL validation - ensure it starts with http:// or https://
+            if (!url.StartsWith("http://", StringComparison.OrdinalIgnoreCase) &&
+                !url.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+            {
+                Runtime.MessageCollector?.AddMessage(MessageClass.WarningMsg,
+                    $"Invalid URL format: {url}", true);
+                return;
+            }
+            
            try
            {
                // Try to open URL with UseShellExecute
@@ -92,15 +107,15 @@ namespace mRemoteNG.UI.Forms
                // hack because of this: https://github.com/dotnet/corefx/issues/10361
                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                {
-                    // Use ArgumentList for better security instead of string concatenation
+                    // Use rundll32 with url.dll,FileProtocolHandler as a safer alternative to cmd /c start
+                    // This is the recommended Windows approach for opening URLs
                    var startInfo = new ProcessStartInfo
                    {
-                        FileName = "cmd",
+                        FileName = "rundll32.exe",
                        UseShellExecute = false,
                        CreateNoWindow = true
                    };
-                    startInfo.ArgumentList.Add("/c");
-                    startInfo.ArgumentList.Add("start");
+                    startInfo.ArgumentList.Add("url.dll,FileProtocolHandler");
                    startInfo.ArgumentList.Add(url);
                    Process.Start(startInfo);
                }
--- a/mRemoteNG/UI/Forms/OptionsPages/NotificationsPage.cs
+++ b/mRemoteNG/UI/Forms/OptionsPages/NotificationsPage.cs
@@ -407,13 +407,14 @@ namespace mRemoteNG.UI.Forms.OptionsPages
                
                // when all fails open filelocation to logfile...
                // Open Windows Explorer to the directory containing the file
-                // Use ArgumentList for better security
+                // Use ArgumentList for better security with separate arguments
                var startInfo = new ProcessStartInfo
                {
                    FileName = "explorer.exe",
                    UseShellExecute = false
                };
-                startInfo.ArgumentList.Add("/select," + path);
+                startInfo.ArgumentList.Add("/select,");
+                startInfo.ArgumentList.Add(path);
                Process.Start(startInfo);
            return true;
        }