Merge pull request #75 from atilsensalduz/sec/CWE-78

Fix security vulnerabilities flagged by gosec scanner

Author: canack

internal/config/config.go

@@ -2,11 +2,12 @@ package config
 
 import (
 	"fmt"
-	"github.com/spf13/viper"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
+
+	"github.com/spf13/viper"
 )
 
 type Config struct {
@@ -46,7 +47,9 @@ func LoadConfig() (*Config, error) {
 	setConfig()
 
 	viper.SetEnvKeyReplacer(strings.NewReplacer(`.`, `_`))
-	viper.BindEnv("github.token", "GITHUB_TOKEN")
+	if err := viper.BindEnv("github.token", "GITHUB_TOKEN"); err != nil {
+		return nil, fmt.Errorf("failed to bind environment variable: %w", err)
+	}
 	viper.AutomaticEnv()
 
 	// Read the config file first

pkg/browser/browser.go

@@ -1,24 +1,34 @@
 package browser
 
 import (
+	"errors"
+	"net/url"
 	"os/exec"
 	"runtime"
 )
 
-func OpenInBrowser(url string) error {
+func OpenInBrowser(rawURL string) error {
+	// Validate the URL to prevent command injection
+	parsedURL, err := url.Parse(rawURL)
+	if err != nil || parsedURL.Scheme == "" || parsedURL.Host == "" {
+		return errors.New("invalid URL")
+	}
+
 	var cmd string
 	var args []string
 
 	switch runtime.GOOS {
 	case "windows":
 		cmd = "cmd"
-		args = []string{"/c", "start"}
+		args = []string{"/c", "start", parsedURL.String()}
 	case "darwin":
 		cmd = "open"
+		args = []string{parsedURL.String()}
 	default: // "linux", "freebsd", "openbsd", "netbsd"
 		cmd = "xdg-open"
+		args = []string{parsedURL.String()}
 	}
-	args = append(args, url)
-
+	
+	// #nosec G204 - URL is validated above and is safe to use
 	return exec.Command(cmd, args...).Start()
 }