CLI: Use stderr and open browser properly

Also double check scheme such that no malicious schemes are passed such as network drives
author: jwijenbergh <jeroenwijenbergh@protonmail.com> 2023-01-31 09:38:40 +0100
committer: jwijenbergh <jeroenwijenbergh@protonmail.com> 2023-01-31 09:40:15 +0100
commit: 574fcd6f2f86f1f9381984c974589b75b7e5e309 (patch)
tree: 0bb0b2faa4fc438bb81a04af1b59ef6fd14224fc
parent: d9a874765ce847e93223bc31e2efc9166312e11a (diff)
3 files changed, 30 insertions, 11 deletions
diff --git a/cmd/cli/main.go b/cmd/cli/main.go
index 599cd20..c1294ed 100644
--- a/cmd/cli/main.go
+++ b/cmd/cli/main.go
@@ -3,13 +3,16 @@ package main
 import (
 	"flag"
 	"fmt"
-	"os/exec"
+	"net/url"
+	"os"
 	"strings"
 
 	"github.com/eduvpn/eduvpn-common/client"
 	"github.com/eduvpn/eduvpn-common/internal/oauth"
 	"github.com/eduvpn/eduvpn-common/internal/server"
 	"github.com/go-errors/errors"
+
+	"github.com/pkg/browser"
 )
 
 type ServerTypes int8
@@ -21,16 +24,28 @@ const (
 )
 
 // Open a browser with xdg-open.
-func openBrowser(url interface{}) {
-	str, ok := url.(string)
+func openBrowser(data interface{}) {
+	str, ok := data.(string)
 	if !ok {
 		return
 	}
+	// double check URL scheme
+	u, err := url.Parse(str)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "failed parsing url", err)
+		return
+	}
+	// Double check the scheme
+	if u.Scheme != "https" {
+		fmt.Fprintln(os.Stderr, "got invalid scheme for URL:", u.String())
+		return
+	}
 	fmt.Printf("OAuth: Initialized with AuthURL %s\n", str)
-	fmt.Println("OAuth: Opening browser with xdg-open...")
-	if exec.Command("xdg-open", str).Start() != nil {
-		// TODO(): Shouldn't this if statement be inverted?
-		fmt.Println("OAuth: Browser opened with xdg-open...")
+	fmt.Println("Opening browser...")
+	err = browser.OpenURL(str)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "failed to open browser with error:", err)
+		fmt.Println("Please open your browser manually")
 	}
 }
 
@@ -39,7 +54,7 @@ func sendProfile(state *client.Client, data interface{}) {
 	fmt.Printf("Multiple VPN profiles found. Please select a profile by entering e.g. 1")
 	sps, ok := data.(*server.ProfileInfo)
 	if !ok {
-		fmt.Println("Invalid data type")
+		fmt.Fprintln(os.Stderr, "invalid data type")
 		return
 	}
 
@@ -54,7 +69,7 @@ func sendProfile(state *client.Client, data interface{}) {
 	var idx int
 	if _, err := fmt.Scanf("%d", &idx); err != nil || idx <= 0 ||
 		idx > len(sps.Info.ProfileList) {
-		fmt.Println("invalid profile chosen, please retry")
+		fmt.Fprintln(os.Stderr, "invalid profile chosen, please retry")
 		sendProfile(state, data)
 		return
 	}
@@ -62,7 +77,7 @@ func sendProfile(state *client.Client, data interface{}) {
 	p := sps.Info.ProfileList[idx-1]
 	fmt.Println("Sending profile ID", p.ID)
 	if err := state.SetProfileID(p.ID); err != nil {
-		fmt.Println("Failed setting profile with error", err)
+		fmt.Fprintln(os.Stderr, "failed setting profile with error", err)
 	}
 }
 
@@ -131,7 +146,7 @@ func printConfig(url string, srvType ServerTypes) {
 	if err != nil {
 		err1 := err.(*errors.Error)
 		// Show the usage of tracebacks and causes
-		fmt.Printf("Error getting config: %s\nCause:\n%s\nStack trace:\n%s\n\n'",
+		fmt.Fprintf(os.Stderr, "Error getting config: %s\nCause:\n%s\nStack trace:\n%s\n\n'",
 			err1.Error(), err1.Err, err1.ErrorStack())
 		return
 	}
diff --git a/go.mod b/go.mod
index ffb4801..c7c1859 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,7 @@ go 1.18
 
 require (
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220916014741-473347a5e6e3
 )
 
diff --git a/go.sum b/go.sum
index 7200b55..a518217 100644
--- a/go.sum
+++ b/go.sum
@@ -3,10 +3,13 @@ github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3Bop
 github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8=
 github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 h1:a5Yg6ylndHHYJqIPrdq0AhvR6KTvDTAvgBtaidhEevY=
 golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20220418201149-a630d4f3e7a2 h1:6mzvA99KwZxbOrxww4EvWVQUnN1+xEu9tafK5ZxkYeA=
 golang.org/x/net v0.0.0-20220418201149-a630d4f3e7a2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
 golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220916014741-473347a5e6e3 h1:ARxNdT6I+00ZyY5yRT/ZECkQti4iGrMZX9dvG/ao/LY=
author	jwijenbergh <jeroenwijenbergh@protonmail.com>	2023-01-31 09:38:40 +0100
committer	jwijenbergh <jeroenwijenbergh@protonmail.com>	2023-01-31 09:40:15 +0100
commit	574fcd6f2f86f1f9381984c974589b75b7e5e309 (patch)
tree	0bb0b2faa4fc438bb81a04af1b59ef6fd14224fc
parent	d9a874765ce847e93223bc31e2efc9166312e11a (diff)