Fix command injection vulnerability in utility_manager.py

Replaced `subprocess.call(['start', filename], shell=True)` with `os.startfile(filename)` to prevent arbitrary command execution via maliciously crafted filenames on Windows.

Author: haseeb-heaven

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-05-31 - Safe File Opening on Windows
+**Vulnerability:** Command injection via `subprocess.call(['start', filename], shell=True)` when opening files on Windows.
+**Learning:** Using `shell=True` with list arguments can still lead to command injection on Windows because the shell evaluates metacharacters.
+**Prevention:** Use `os.startfile(filename)` on Windows, which natively handles file opening without invoking the command shell.

libs/utility_manager.py

@@ -43,7 +43,7 @@ def _open_resource_file(self, filename):
 		try:
 			if os.path.isfile(filename):
 				if platform.system() == "Windows":
-					subprocess.call(['start', filename], shell=True)
+					os.startfile(filename)
 				elif platform.system() == "Darwin":
 					subprocess.call(['open', filename])
 				elif platform.system() == "Linux":