🛡️ Sentinel: [CRITICAL] Fix command injection in Windows file launch

🚨 Severity: CRITICAL
💡 Vulnerability: Command injection via `subprocess.call` with `shell=True` and unsanitized filename when opening files on Windows.
🎯 Impact: An attacker who can control the filename could execute arbitrary shell commands.
🔧 Fix: Replaced `subprocess.call` with `os.startfile(filename)` to securely open files on Windows.
✅ Verification: Run the test suite and ensure no new regressions are found.

Author: haseeb-heaven

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2025-02-23 - Command Injection in Windows File Launch
+**Vulnerability:** Using `subprocess.call(['start', filename], shell=True)` for opening files on Windows creates a command injection risk if `filename` contains shell metacharacters.
+**Learning:** Passing a list to `subprocess.call` with `shell=True` does not safely quote arguments on Windows, allowing execution of arbitrary commands if the file path is malicious.
+**Prevention:** Use `os.startfile(filename)` on Windows to open files securely without invoking the command shell.

libs/utility_manager.py

@@ -43,7 +43,7 @@ def _open_resource_file(self, filename):
 		try:
 			if os.path.isfile(filename):
 				if platform.system() == "Windows":
-					subprocess.call(['start', filename], shell=True)
+					os.startfile(filename)
 				elif platform.system() == "Darwin":
 					subprocess.call(['open', filename])
 				elif platform.system() == "Linux":