Do not open external URLs from request data in Electron | Critiq Docs

#Metadata

Rule ID: ts.security.electron-shell-open-external-unvalidated
Severity: high
Confidence: 0.83
Languages: javascript, typescript
Presets: security, strict
Stability: stable
Applies to: block
Tags: electron, open-redirect, rules-catalog, security

#Why it matters

Open redirects and SSRF-style flows in the main process can pivot to arbitrary system browsers or handlers.

#Remediation

Allowlist URL schemes and hosts, normalize targets, and block private IP ranges before calling openExternal.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml.

Back to directory Open rule in repository