Create MultiLinks using clipboard contents/then turn bundle into quicklink w/2 clicks.#27284
Open
chucktaylor2024 wants to merge 3 commits intoraycast:mainfrom
Open
Create MultiLinks using clipboard contents/then turn bundle into quicklink w/2 clicks.#27284chucktaylor2024 wants to merge 3 commits intoraycast:mainfrom
chucktaylor2024 wants to merge 3 commits intoraycast:mainfrom
Conversation
raycastbot
added
new extension
Collaborator
|
Congratulations on your new Raycast extension! 🚀 We're currently experiencing a high volume of incoming requests. As a result, the initial review may take up to 10-15 business days. Once the PR is approved and merged, the extension will be available on our Store. |
chucktaylor2024
changed the title
chucktaylor2024
changed the title
Contributor
Greptile SummaryThis is a new extension that creates named groups of URLs from clipboard history and opens them all at once, with optional browser selection and Quicklink support. The core workflow is clean, but there is a shell injection vulnerability that must be fixed before merging.
Confidence Score: 2/5Not safe to merge — shell injection vulnerability requires a fix before this can be published A P0 shell injection issue affects two files and poses a real security risk to users. A P1 deeplink correctness issue and a missing metadata folder also need to be addressed before store publishing. src/open-group.tsx and src/list-groups.tsx both require switching from exec to execFile; a metadata/ folder with store screenshots needs to be added
|
| Filename | Overview |
|---|---|
| extensions/fast-multilinks/src/open-group.tsx | No-view command that opens group URLs via shell exec — has a shell injection vulnerability from unescaped URL/browser arguments passed to execAsync |
| extensions/fast-multilinks/src/list-groups.tsx | Main view for managing groups — same shell injection issue in openURL helper, plus hardcoded author slug in deeplink construction |
| extensions/fast-multilinks/src/create-group-from-clipboard.tsx | Clipboard-based group creation flow; contains the same hardcoded author slug in deeplink but no direct shell execution |
| extensions/fast-multilinks/package.json | Extension manifest with correct structure; @raycast/utils is listed as a dependency but never imported in source |
| extensions/fast-multilinks/eslint.config.js | Standard ESLint v9 flat config using defineConfig from eslint/config with @raycast/eslint-config — correct pattern |
| extensions/fast-multilinks/CHANGELOG.md | Initial changelog with correct {PR_MERGE_DATE} placeholder |
Prompt To Fix All With AI
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/open-group.tsx
Line: 45-51
Comment:
**Shell injection via unescaped URL/browser arguments**
`execAsync` runs through `/bin/sh`, so any clipboard-sourced URL containing shell metacharacters (e.g. `https://evil.com" && rm -rf ~/Documents && echo "`) will be interpreted by the shell. An attacker who controls the clipboard (e.g. via a web page with clipboard API access) can execute arbitrary commands. Replace `exec` with `execFile` which spawns the process directly without a shell:
```typescript
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
// with browser:
await execFileAsync("open", ["-a", group.browser, url]);
// without browser:
await execFileAsync("open", [url]);
```
The same issue exists in `list-groups.tsx`'s `openURL` helper (lines 35–41).
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/list-groups.tsx
Line: 35-41
Comment:
**Shell injection via unescaped URL/browser arguments**
Same issue as `open-group.tsx`: both `url` and `browserName` are interpolated into a shell string without escaping. Although `browserName` is constrained to dropdown values at entry time, the values are persisted to and read from `LocalStorage` as plain strings, so they are still attacker-influenced. Use `execFile` to avoid the shell entirely:
```typescript
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
const openURL = async (url: string, browserName?: string) => {
if (browserName) {
await execFileAsync("open", ["-a", browserName, url]);
} else {
await execFileAsync("open", [url]);
}
};
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/list-groups.tsx
Line: 106
Comment:
**Hardcoded author slug in deeplink may not match published extension**
The deeplink hardcodes `Chucktaylor` as the author slug. Raycast typically normalises author identifiers to lowercase when resolving extension deep-links, so `raycast://extensions/Chucktaylor/...` may silently fail to open the `open-group` command after publishing. The same pattern appears in `create-group-from-clipboard.tsx` line 119. Verify the exact author slug used by Raycast for this extension (usually the lowercased `author` field) and update both files accordingly.
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: extensions/fast-multilinks/package.json
Line: 44-46
Comment:
**Unused `@raycast/utils` dependency**
`@raycast/utils` is listed as a runtime dependency but is never imported in any file under `src/`. Remove it to avoid unnecessary bundle bloat.
```suggestion
"dependencies": {
"@raycast/api": "^1.104.12"
},
```
**Rule Used:** What: Every dependency listed in package.json must... ([source](https://app.greptile.com/review/custom-context?memory=bffc60eb-f9f2-4219-b804-76e29e267d43))
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "Initial commit: Fast MultiLinks extensio..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+45
to
+51
| for (const url of group.urls) { | ||
| if (group.browser) { | ||
| await execAsync(`open -a "${group.browser}" "${url}"`); | ||
| } else { | ||
| await execAsync(`open "${url}"`); | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
execAsync runs through /bin/sh, so any clipboard-sourced URL containing shell metacharacters (e.g. https://evil.com" && rm -rf ~/Documents && echo ") will be interpreted by the shell. An attacker who controls the clipboard (e.g. via a web page with clipboard API access) can execute arbitrary commands. Replace exec with execFile which spawns the process directly without a shell:
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
// with browser:
await execFileAsync("open", ["-a", group.browser, url]);
// without browser:
await execFileAsync("open", [url]);The same issue exists in list-groups.tsx's openURL helper (lines 35–41).
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/open-group.tsx
Line: 45-51
Comment:
**Shell injection via unescaped URL/browser arguments**
`execAsync` runs through `/bin/sh`, so any clipboard-sourced URL containing shell metacharacters (e.g. `https://evil.com" && rm -rf ~/Documents && echo "`) will be interpreted by the shell. An attacker who controls the clipboard (e.g. via a web page with clipboard API access) can execute arbitrary commands. Replace `exec` with `execFile` which spawns the process directly without a shell:
```typescript
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
// with browser:
await execFileAsync("open", ["-a", group.browser, url]);
// without browser:
await execFileAsync("open", [url]);
```
The same issue exists in `list-groups.tsx`'s `openURL` helper (lines 35–41).
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+35
to
+41
| const openURL = async (url: string, browserName?: string) => { | ||
| if (browserName) { | ||
| await execAsync(`open -a "${browserName}" "${url}"`); | ||
| } else { | ||
| await execAsync(`open "${url}"`); | ||
| } | ||
| }; |
Contributor
There was a problem hiding this comment.
Same issue as open-group.tsx: both url and browserName are interpolated into a shell string without escaping. Although browserName is constrained to dropdown values at entry time, the values are persisted to and read from LocalStorage as plain strings, so they are still attacker-influenced. Use execFile to avoid the shell entirely:
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
const openURL = async (url: string, browserName?: string) => {
if (browserName) {
await execFileAsync("open", ["-a", browserName, url]);
} else {
await execFileAsync("open", [url]);
}
};Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/list-groups.tsx
Line: 35-41
Comment:
**Shell injection via unescaped URL/browser arguments**
Same issue as `open-group.tsx`: both `url` and `browserName` are interpolated into a shell string without escaping. Although `browserName` is constrained to dropdown values at entry time, the values are persisted to and read from `LocalStorage` as plain strings, so they are still attacker-influenced. Use `execFile` to avoid the shell entirely:
```typescript
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);
const openURL = async (url: string, browserName?: string) => {
if (browserName) {
await execFileAsync("open", ["-a", browserName, url]);
} else {
await execFileAsync("open", [url]);
}
};
```
How can I resolve this? If you propose a fix, please make it concise.| }; | ||
|
|
||
| if (newlyCreatedGroup) { | ||
| const deeplink = `raycast://extensions/Chucktaylor/fast-multilinks/open-group?arguments=${encodeURIComponent(JSON.stringify({ groupName: newlyCreatedGroup.name }))}`; |
Contributor
There was a problem hiding this comment.
The deeplink hardcodes Chucktaylor as the author slug. Raycast typically normalises author identifiers to lowercase when resolving extension deep-links, so raycast://extensions/Chucktaylor/... may silently fail to open the open-group command after publishing. The same pattern appears in create-group-from-clipboard.tsx line 119. Verify the exact author slug used by Raycast for this extension (usually the lowercased author field) and update both files accordingly.
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/fast-multilinks/src/list-groups.tsx
Line: 106
Comment:
**Hardcoded author slug in deeplink may not match published extension**
The deeplink hardcodes `Chucktaylor` as the author slug. Raycast typically normalises author identifiers to lowercase when resolving extension deep-links, so `raycast://extensions/Chucktaylor/...` may silently fail to open the `open-group` command after publishing. The same pattern appears in `create-group-from-clipboard.tsx` line 119. Verify the exact author slug used by Raycast for this extension (usually the lowercased `author` field) and update both files accordingly.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+44
to
+46
| "@raycast/api": "^1.104.12", | ||
| "@raycast/utils": "^1.19.1" | ||
| }, |
Contributor
There was a problem hiding this comment.
@raycast/utils dependency
@raycast/utils is listed as a runtime dependency but is never imported in any file under src/. Remove it to avoid unnecessary bundle bloat.
Suggested change
| "@raycast/api": "^1.104.12", | |
| "@raycast/utils": "^1.19.1" | |
| }, | |
| "dependencies": { | |
| "@raycast/api": "^1.104.12" | |
| }, |
Rule Used: What: Every dependency listed in package.json must... (source)
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/fast-multilinks/package.json
Line: 44-46
Comment:
**Unused `@raycast/utils` dependency**
`@raycast/utils` is listed as a runtime dependency but is never imported in any file under `src/`. Remove it to avoid unnecessary bundle bloat.
```suggestion
"dependencies": {
"@raycast/api": "^1.104.12"
},
```
**Rule Used:** What: Every dependency listed in package.json must... ([source](https://app.greptile.com/review/custom-context?memory=bffc60eb-f9f2-4219-b804-76e29e267d43))
How can I resolve this? If you propose a fix, please make it concise.- Resize screenshots to 2000x1250 - Add store screenshots
Collaborator
|
This pull request has been automatically marked as stale because it did not have any recent activity. It will be closed if no further activity occurs in the next 7 days to keep our backlog clean 😊 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Create multilinks using clipboard contents (up to 5 URLs at once), then turn the bundle into a QuickLink with 2 clicks.
Screencast
Checklist
npm run buildand tested this distribution build in Raycastassetsfolder are used by the extension itselfREADMEare placed outside of themetadatafolder