Fix command injection in UtilityManager._open_resource_file on Windows

Author: haseeb-heaven

.jules/sentinel.md

@@ -0,0 +1,5 @@
+
+## 2024-05-24 - Windows Shell Invocation Vulnerability
+**Vulnerability:** Invoking shell=True with subprocess on Windows to open files (e.g., `subprocess.call(['start', filename], shell=True)`) creates a command injection risk if `filename` contains unvalidated input.
+**Learning:** Windows platforms offer native `os.startfile()` which is immune to this specific shell injection attack vector.
+**Prevention:** Always prefer `os.startfile(filename)` over `subprocess.call(..., shell=True)` for opening files on Windows.

libs/utility_manager.py

@@ -43,7 +43,7 @@ def _open_resource_file(self, filename):
 		try:
 			if os.path.isfile(filename):
 				if platform.system() == "Windows":
-					subprocess.call(['start', filename], shell=True)
+					os.startfile(filename)
 				elif platform.system() == "Darwin":
 					subprocess.call(['open', filename])
 				elif platform.system() == "Linux":