Validation.

localden · localden · commit 5f15bced947b · 2025-05-03T14:42:05.000-07:00
diff --git a/src/ModelContextProtocol/Auth/AuthorizationConfigExtensions.cs b/src/ModelContextProtocol/Auth/AuthorizationConfigExtensions.cs
@@ -60,11 +60,19 @@ public static AuthorizationConfig UseHttpListener(
     
     /// <summary>
     /// Default implementation to open a URL in the default browser.
+    /// Only allows http and https URLs to be opened for security reasons.
     /// </summary>
     private static Task DefaultOpenBrowser(string url)
     {
         try
         {
+            // Validate that the URL is using http or https protocol
+            if (!Uri.TryCreate(url, UriKind.Absolute, out var uri) || 
+                (uri.Scheme != "http" && uri.Scheme != "https"))
+            {
+                return Task.FromException(new ArgumentException("Only HTTP or HTTPS URLs can be opened.", nameof(url)));
+            }
+
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
                 // On Windows, use the built-in Process.Start for URLs

Original file line number	Diff line number	Diff line change
`@@ -60,11 +60,19 @@ public static AuthorizationConfig UseHttpListener(`
`60`	`60`
`61`	`61`	`/// <summary>`
`62`	`62`	`/// Default implementation to open a URL in the default browser.`
	`63`	`+ /// Only allows http and https URLs to be opened for security reasons.`
`63`	`64`	`/// </summary>`
`64`	`65`	`private static Task DefaultOpenBrowser(string url)`
`65`	`66`	`{`
`66`	`67`	`try`
`67`	`68`	`{`
	`69`	`+ // Validate that the URL is using http or https protocol`
	`70`	`+ if (!Uri.TryCreate(url, UriKind.Absolute, out var uri) \|\|`
	`71`	`+ (uri.Scheme != "http" && uri.Scheme != "https"))`
	`72`	`+ {`
	`73`	`+ return Task.FromException(new ArgumentException("Only HTTP or HTTPS URLs can be opened.", nameof(url)));`
	`74`	`+ }`
	`75`	`+`
`68`	`76`	`if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))`
`69`	`77`	`{`
`70`	`78`	`// On Windows, use the built-in Process.Start for URLs`