{Core} Fix potential command injection (#32885)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: necusjz

src/azure-cli-core/azure/cli/core/tests/test_util.py

@@ -154,10 +154,10 @@ def test_proxy_resource_parse(self):
     @mock.patch('subprocess.Popen', autospec=True)
     def test_open_page_in_browser(self, subprocess_open_mock, webbrowser_open_mock):
         platform = sys.platform.lower()
-        open_page_in_browser('http://foo')
+        open_page_in_browser("http://foo")
         if is_wsl():
             subprocess_open_mock.assert_called_once_with(['powershell.exe', '-NoProfile',
-                                                          '-Command', 'Start-Process "http://foo"'])
+                                                          '-Command', "Start-Process 'http://foo'"])
         elif platform == 'darwin':
             subprocess_open_mock.assert_called_once_with(['open', 'http://foo'])
         else:

src/azure-cli-core/azure/cli/core/util.py

@@ -803,8 +803,9 @@ def open_page_in_browser(url):
         try:
             # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
             # Ampersand (&) should be quoted
+            safe_url = url.replace("'", "''")
             return subprocess.Popen(
-                ['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(url)]).wait()
+                ['powershell.exe', '-NoProfile', '-Command', f"Start-Process '{safe_url}'"]).wait()
         except OSError:  # WSL might be too old  # FileNotFoundError introduced in Python 3
             pass
     elif platform_name == 'darwin':