mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-17 23:29:01 +02:00
Make the http/https scheme allowlist structurally enforced instead of a convention. Move the allowlist check + shell.openExternal call into a single openExternalSafely wrapper in external-url.ts, have both main-process call sites (the IPC handler and setWindowOpenHandler) go through it, and add an ESLint no-restricted-syntax rule that bans direct shell.openExternal usage anywhere under apps/desktop/src/main/ except external-url.ts itself. This is the follow-up to #1124: same safety guarantee, but a reviewer can no longer accidentally reintroduce a bare shell.openExternal somewhere that bypasses the check — the lint rule catches it at CI time. Also restores the scheme info in the warn log (lost when the helper was extracted). Test coverage extended to the cases the original PR review flagged but didn't ship: casing (FILE:// / HTTPS://), javascript: / data:, ftp / smb, vscode:// / ms-msdt:, mailto / tel, credentials-in-URL, empty / malformed. Added two openExternalSafely tests (electron mocked) confirming allowed URLs forward and rejected URLs do not. Closes a follow-up bullet from the internal #1115 / #1124 review.