Finding · pi-coding-agent

OAuth browser launch URI validation and shell-safe spawning

What Changed

Hardened OAuth verification URI handling by adding URI parsing validation to reject non-HTTP(S) protocols before browser launch, and replaced shell exec() with process spawn() to prevent command injection from attacker-controlled URLs.

Operator Implication

Eliminates command injection risk in OAuth flows where malicious OAuth servers could inject shell commands like '$(id>/tmp/pwned)' via verification URIs. Uses process spawning without shell interpretation.

Receipt

Commit ba6e529 'fix(oauth): harden browser launch handling' validates verification URIs and uses spawn() instead of exec() to prevent shell metacharacter inject

Finding metadata

Confidence: high
Actionability: test
Accessibility impact: none

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-pi-coding-agent-oauth-hardening

Accepted signals

OAuth browser-launch URI validation closes command-injection path · 2026-06-03

Profile citations

Pi Coding Agent · claim · security-hardening-cluster

Source links

Primary links, including exact changelog lines when available.

Pi Coding Agent
commitCommit ba6e529 'fix(oauth): harden browser launch handling' validates verification URIs and uses spawn() instead of exec() to prevent shell metacharacter injectiongithub.com/earendil-works/pi/commit/ba6e529

Versioned source: run artifact