Fix command injection vulnerability in Windows resource opener

Replaced `subprocess.call(['start', filename], shell=True)` with `os.startfile(filename)` to prevent OS command injection via user-supplied filenames on Windows.

Author: haseeb-heaven

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-06-08 - OS Command Injection in Windows Resource Opener
+**Vulnerability:** Command injection vulnerability via `subprocess.call(['start', filename], shell=True)` when handling file paths in Windows.
+**Learning:** Using `shell=True` with user-supplied or external inputs (even file paths) can lead to arbitrary command execution on Windows.
+**Prevention:** Use `os.startfile(filename)` instead of shelling out on Windows, which directly leverages the OS API without a command shell layer.

libs/utility_manager.py

@@ -43,7 +43,7 @@ def _open_resource_file(self, filename):
 		try:
 			if os.path.isfile(filename):
 				if platform.system() == "Windows":
-					subprocess.call(['start', filename], shell=True)
+					os.startfile(filename)
 				elif platform.system() == "Darwin":
 					subprocess.call(['open', filename])
 				elif platform.system() == "Linux":