[Bug]: open_command string-concatenates user-controlled output, enabling command injection

[tylzh97]

Summary

thefuck.rules.yarn_help feeds the URL captured from Yarn output straight into thefuck.system.open_command, which simply concatenates xdg-open / cmd /c start .

PoC

from thefuck.types import Command
from thefuck.rules import yarn_help

cmd = Command(
   'yarn help foo',
   'Visit https://example.com;touch${IFS}/tmp/poc_yarn for documentation about this command.'
)
print(yarn_help.get_new_command(cmd))

Expected Behavior

The returned command should only open the intended URL. Malformed or unsafe URLs must be rejected instead of executing arbitrary shell fragments.

Actual Behavior

The script prints xdg-open https://example.com;touch${IFS}/tmp/poc_yarn; when evaluated by the usual alias (eval "$(thefuck …)"), the payload runs.

Suggested Fix

• Change open_command to build an argument list or escape the URL; no raw string concatenation.