From 03129989bae8aa7db596c276f06ee45a513ff4ef Mon Sep 17 00:00:00 2001
From: Lucy Gramley <lucygramley@microsoft.com>
Date: Wed, 20 May 2026 10:14:45 -0700
Subject: [PATCH] fix: validate homepage URL scheme before opening browser

OpenHomepage() passes registry-supplied homepage URLs directly to
VsShellUtilities.OpenBrowser with no scheme validation, allowing
UNC paths or protocol-handler URIs (e.g. \\\\attacker\\share) to
trigger SMB hash leaks or arbitrary process launch.

Add Uri.TryCreate + http/https scheme allow-list in both OpenHomepage()
and AddHomepage() to block non-web URLs at display and click time.

Fixes ADO#2982591 (NTVS-002, CWE-749)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../Nodejs/NpmUI/NpmPackageInstallViewModel.cs        | 11 ++++++++---
 Nodejs/Product/Nodejs/NpmUI/NpmWorker.cs              |  7 ++++++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Nodejs/Product/Nodejs/NpmUI/NpmPackageInstallViewModel.cs b/Nodejs/Product/Nodejs/NpmUI/NpmPackageInstallViewModel.cs
index 2312aa809..fa35f9812 100644
--- a/Nodejs/Product/Nodejs/NpmUI/NpmPackageInstallViewModel.cs
+++ b/Nodejs/Product/Nodejs/NpmUI/NpmPackageInstallViewModel.cs
@@ -333,13 +333,18 @@ internal void Install(PackageCatalogEntryViewModel package)
             }
         }
 
-        internal bool CanOpenHomepage(string homepage) => !string.IsNullOrEmpty(homepage);
+        internal bool CanOpenHomepage(string homepage)
+        {
+            return Uri.TryCreate(homepage, UriKind.Absolute, out var uri)
+                && (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps);
+        }
 
         internal void OpenHomepage(string homepage)
         {
-            if (!string.IsNullOrEmpty(homepage))
+            if (Uri.TryCreate(homepage, UriKind.Absolute, out var uri)
+                && (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps))
             {
-                VsShellUtilities.OpenBrowser(homepage);
+                VsShellUtilities.OpenBrowser(uri.AbsoluteUri);
             }
         }
 
diff --git a/Nodejs/Product/Nodejs/NpmUI/NpmWorker.cs b/Nodejs/Product/Nodejs/NpmUI/NpmWorker.cs
index 65d3545da..8cabc4884 100644
--- a/Nodejs/Product/Nodejs/NpmUI/NpmWorker.cs
+++ b/Nodejs/Product/Nodejs/NpmUI/NpmWorker.cs
@@ -380,7 +380,12 @@ private static void AddHomepage(NodeModuleBuilder builder, JToken links)
             var homepage = links?["homepage"];
             if (homepage != null)
             {
-                builder.AddHomepage((string)homepage);
+                var url = (string)homepage;
+                if (Uri.TryCreate(url, UriKind.Absolute, out var uri)
+                    && (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps))
+                {
+                    builder.AddHomepage(uri.AbsoluteUri);
+                }
             }
         }